ctipilot.ch

Microsoft AD FS local elevation of privilege (exploited zero-day)

cve · CVE-2026-56155

Coverage timeline
1
first 2026-07-14 → last 2026-07-14
Peak priority
high
1 high
Sources cited
5
4 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Microsoft Active Directory Federation ServicesMicrosoft SharePoint Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-14/microsoft-july-2026-patch-tuesday-two-exploited-zero-days · ATT&CK page ↗

Privilege Escalation TA0004

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-14/microsoft-july-2026-patch-tuesday-two-exploited-zero-days · ATT&CK page ↗

Story timeline

  1. 2026-07-14Microsoft July 2026 Patch Tuesday ships two actively-exploited zero-days — AD FS local EoP (CVE-2026-56155) and unauthenticated SharePoint EoP (CVE-2026-56164)
    trending-vulnerabilitiesMicrosoft patches two exploited zero-days on-prem: an AD FS privilege escalation and an unauthenticated SharePoint EoP, both KEV-listed same day

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • msrc.microsoft.com2 (40%)
  • bleepingcomputer.com1 (20%)
  • krebsonsecurity.com1 (20%)
  • zerodayinitiative.com1 (20%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Microsoft AD FS local elevation of privilege (exploited zero-day) (1)

2026-07-14 · view entry permalink →

HIGHCVE-2026-56155 +1exploitedNATOA1

Microsoft July 2026 Patch Tuesday ships two actively-exploited zero-days — AD FS local EoP (CVE-2026-56155) and unauthenticated SharePoint EoP (CVE-2026-56164)

Microsoft's July 2026 Patch Tuesday is its largest ever by CVE count and carries two zero-days Microsoft confirms were exploited before a fix existed, both added to CISA's Known Exploited Vulnerabilities catalog the same day (BleepingComputer, 2026-07-14). CVE-2026-56155 (CVSS 7.8, CWE-1220) is a local elevation-of-privilege in Active Directory Federation Services: an attacker who already holds a low-privileged authorized session on the AD FS host escalates to administrator (Microsoft MSRC, 2026-07-14). It is a post-foothold escalation rather than an initial-access vector, and Microsoft's advisory credits its own DART incident-response team in the acknowledgements — meaning it surfaced during a live intrusion, so an exposed AD FS host should be treated as a candidate for compromise assessment, not merely patched (Microsoft MSRC, 2026-07-14). CVE-2026-56164 (CVSS 5.3, CWE-306) is the more exposed of the two: a missing-authentication flaw in on-prem SharePoint Server that lets an unauthenticated attacker elevate privileges over the network with no user interaction (Microsoft MSRC, 2026-07-14). Microsoft's mitigation guidance — enable AMSI on the SharePoint/IIS worker processes with Request Body Scan set to Full — indicates the trigger is a crafted HTTP POST body, the same class of exposure this pipeline tracked for the CVE-2026-45659 SharePoint deserialization RCE on 2026-07-02, so operators who already tuned AMSI for that flaw have partial coverage.

Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.

Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network.

Microsoft MSRC 2026-07-14

It's a missing-authentication flaw, meaning an unauthenticated attacker can hit it over the network with no user interaction required. When something this reachable is being actively abused, patch it now and worry about the score later.

Zero Day Initiative (Trend Micro) 2026-07-14
vulnerability14 Jul 20:19Zmulti-sourceOpen finding ↗