2026-07-14 · view entry permalink →
Microsoft July 2026 Patch Tuesday ships two actively-exploited zero-days — AD FS local EoP (CVE-2026-56155) and unauthenticated SharePoint EoP (CVE-2026-56164)
Microsoft's July 2026 Patch Tuesday is its largest ever by CVE count and carries two zero-days Microsoft confirms were exploited before a fix existed, both added to CISA's Known Exploited Vulnerabilities catalog the same day (BleepingComputer, 2026-07-14). CVE-2026-56155 (CVSS 7.8, CWE-1220) is a local elevation-of-privilege in Active Directory Federation Services: an attacker who already holds a low-privileged authorized session on the AD FS host escalates to administrator (Microsoft MSRC, 2026-07-14). It is a post-foothold escalation rather than an initial-access vector, and Microsoft's advisory credits its own DART incident-response team in the acknowledgements — meaning it surfaced during a live intrusion, so an exposed AD FS host should be treated as a candidate for compromise assessment, not merely patched (Microsoft MSRC, 2026-07-14). CVE-2026-56164 (CVSS 5.3, CWE-306) is the more exposed of the two: a missing-authentication flaw in on-prem SharePoint Server that lets an unauthenticated attacker elevate privileges over the network with no user interaction (Microsoft MSRC, 2026-07-14). Microsoft's mitigation guidance — enable AMSI on the SharePoint/IIS worker processes with Request Body Scan set to Full — indicates the trigger is a crafted HTTP POST body, the same class of exposure this pipeline tracked for the CVE-2026-45659 SharePoint deserialization RCE on 2026-07-02, so operators who already tuned AMSI for that flaw have partial coverage.
Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.
Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network.
It's a missing-authentication flaw, meaning an unauthenticated attacker can hit it over the network with no user interaction required. When something this reachable is being actively abused, patch it now and worry about the score later.