Active Directory Federation Services (AD FS) Elevation of Privilege Vulnerability, CVE-2026-56155 (High) -DC-Jul2026-978

Listen to this Post

CVE-2026-56155 is an elevation of privilege vulnerability affecting Microsoft Active Directory Federation Services (AD FS), a critical identity federation component that bridges on-premises Active Directory with cloud-based applications via protocols such as SAML, WS-Federation, and OAuth. The root cause is insufficient granularity of access control within AD FS—the system fails to properly enforce least-privilege principles during authentication and authorization processes.
The vulnerability manifests when AD FS processes security tokens and claims that define user permissions within federated environments. Attackers who have already obtained initial local access—with only low-privileged credentials—can manipulate the flow of identity information by crafting specially formed authentication requests or modifying existing claims to gain elevated access rights. This typically arises from misconfigurations in trust relationships between AD FS servers and relying party applications, where insufficient validation occurs during token processing stages.
The flaw allows an authorized local attacker to escalate privileges to SYSTEM or administrative levels, compromising confidentiality, integrity, and availability (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Because AD FS operates at the intersection of authentication and authorization, the vulnerability is difficult to detect with traditional network-focused security monitoring tools. Microsoft has confirmed active exploitation in the wild, and CISA has added this CVE to its Known Exploited Vulnerabilities Catalog with a remediation deadline of July 28, 2026.
The attack vector is local, requires low privileges, and is rated as easy to exploit. While not a remote code execution flaw, it is particularly dangerous in enterprise environments where AD FS is the cornerstone of identity infrastructure—attackers already inside a network use this kind of bug to move laterally and upward. The exploit price is estimated between $5,000 and $25,000, and MITRE ATT&CK maps this to technique T1068 (Privilege Escalation).

DailyCVE Form:

Platform: ……. Windows Server / Windows
Version: …….. Up to 2025 (all AD FS)
Vulnerability :.. Insufficient Access Control
Severity: ……. 7.8 HIGH (CVSS 3.1)
date: ……….. July 14, 2026

Prediction: ….. Patch by July 28, 2026

What Undercode Say:

Analytics from telemetry and threat intelligence indicate active exploitation campaigns targeting AD FS deployments worldwide. CISA’s BOD 26-04 mandates prioritizing this update. Organizations with exposed AD FS servers should assume compromise if patches are not applied. The following commands and checks are recommended for forensic triage and configuration auditing:

Check AD FS service status and version
Get-Service adfssrv | Select-Object Name, DisplayName, Status, StartType
Review AD FS event logs for suspicious authentication patterns
Get-WinEvent -LogName "AD FS/Admin" | Where-Object { $<em>.Id -in 501, 502, 503 } |
Select-Object TimeCreated, Id, Message
Audit AD FS claims rules for overly permissive transformations
Get-AdfsClaimDescription | Where-Object { $</em>.IsAccepted -eq $true }
Check for trust relationships with relying parties
Get-AdfsRelyingPartyTrust | Select-Object Name, Enabled, NotBeforeSkew,
TokenLifetime, IssuanceTransformRules
Review local privilege assignments that may have been altered
whoami /priv
net localgroup administrators
Verify Windows update status for July 2026 Patch Tuesday
Get-HotFix | Where-Object { $_.HotFixID -like "KB" } | Sort-Object InstalledOn -Descending
Enable verbose AD FS auditing for anomaly detection
Set-AdfsProperties -AuditLevel Verbose
Export current AD FS configuration for baseline comparison
Export-AdfsDeployment -ExportPath C:\ADFS_Backup\ -Force

Exploit:

Public proof-of-concept is not yet available, but exploitation is confirmed in the wild. The attack flow typically follows these steps:
1. Initial Access – Attacker gains local low-privileged access to a system running AD FS (e.g., via phishing, compromised credentials, or supply chain).
2. Token Manipulation – The attacker crafts modified authentication requests or alters existing claims to inject elevated permissions (e.g., adding `admin` or `domainadmin` claims).
3. Bypass Access Controls – Due to insufficient granularity in access control validation, the manipulated tokens are accepted by AD FS.
4. Privilege Escalation – The attacker obtains SYSTEM-level or administrative privileges locally, enabling lateral movement, persistence, and data exfiltration.
This vulnerability can be chained with remote code execution bugs for full server takeover. Attackers leverage the flaw to move from a limited user context to full control over the federation server, potentially compromising all relying parties that trust the AD FS instance.

Protection:

  • Apply Patches Immediately – Install the July 2026 Patch Tuesday update from Microsoft (KBxxxxxx). This is the primary and most effective mitigation.
  • Restrict Local Access – Limit who can log on interactively to AD FS servers. Enforce strict network segmentation and firewall rules.
  • Harden AD FS Configuration – Review and tighten claims rules. Remove overly permissive issuance transforms. Enforce proper trust validation with relying parties.
  • Enable Comprehensive Auditing – Set `Set-AdfsProperties -AuditLevel Verbose` and monitor AD FS Admin event logs for anomalies (IDs 501, 502, 503, 1202, 1203).
  • Implement Multi-Factor Authentication (MFA) – Require MFA for all privileged AD FS administrative access.
  • Regular Penetration Testing – Conduct periodic security assessments of federated environments to identify misconfigurations.
  • Follow CISA Guidance – Adhere to BOD 26-04 and CISA’s Forensics Triage Requirements.

Impact:

  • Confidentiality – Attackers can read sensitive data, including security tokens, user credentials, and federation metadata.
  • Integrity – Manipulated claims allow attackers to modify access rights and impersonate privileged users.
  • Availability – Full administrative control enables disruption of AD FS services, potentially causing denial of service for all federated applications.
  • Lateral Movement – Compromise of AD FS grants attackers a pivot point to move across the enterprise and into cloud environments (Azure AD, Office 365, etc.).
  • Supply Chain Risk – Organizations using federated trusts with partners may inadvertently expose external entities to compromise.
    Given the active exploitation and criticality of AD FS in modern identity architectures, this vulnerability poses a severe risk to enterprise security postures. Immediate patching and forensic review are strongly advised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top