All incidents

CISA warns ADFS flaw allows local privilege escalation

incidentopenJul 14, 2026 — Jul 14, 2026
CISA warns ADFS flaw allows local privilege escalation

ON 14 July 2026 the Cybersecurity and Infrastructure Security Agency added CVE-2026-56155 to its Known Exploited Vulnerabilities catalogue, warning that a flaw in Microsoft Active Directory Federation Services permits a locally authenticated attacker to raise privileges on the host system. The vulnerability is described as insufficient granularity of access control within ADFS and can be exploited with a valid user session. This update follows the agency’s practice of flagging flaws that are already being used in the wild.

The flaw carries a CVSS score of 7.8, rating it as high severity, and originates from a missing check in the ADFS access control layer that lets a low‑privileged user submit a specially formed authentication request. Successful exploitation results in the creation of a security token with elevated rights, effectively granting the attacker local administrator capabilities on the server. A second vulnerability tracked as CVE-2026-56164 affects SharePoint Server, scores 5.3 and can be triggered without any authentication, while CVE-2026-50661 describes a BitLocker bypass mechanism rated at 6.1. Details of the July patch release are outlined in SecurityWeek’s coverage of the update.

Because CISA has placed CVE-2026-56155 in the KEV catalogue, the agency confirms that the flaw is already being exploited in the wild, although no specific threat actor has been publicly attributed to the activity. The vulnerability was among the two zero‑day flaws patched during Microsoft’s July Patch Tuesday, which saw a record 622 updates across Windows, Office and related server products. The same advisory also highlighted CVE-2026-56164 as another actively exploited zero‑day, underlining a trend of attackers targeting identity and collaboration services. Further context on the scale of the update can be found in The Zero Day Initiative’s July 2026 security update review.

The unusually high number of patches reflects what Microsoft describes as an accelerated discovery process driven by increased use of automated analysis and AI‑assisted hunting, which has pushed the year‑to‑date CVE count well above previous totals. For defenders, the concentration of critical flaws in ADFS and SharePoint highlights how identity federation and content collaboration platforms remain attractive targets for privilege escalation and lateral movement.

Organisations that rely on single sign‑on infrastructures should therefore treat these components as high‑risk assets in their threat models. The broader lesson is that timely patching of privileged service components is essential to prevent attackers from chaining local exploits into wider network compromise.

Defenders should apply the July 2026 cumulative updates for Windows Server and related ADFS roles as soon as possible, prioritising the KB articles that address CVE-2026-56155 and CVE-2026-56164. After patching, administrators are advised to review ADFS permission sets, remove any unnecessary claims provider trusts and enforce the principle of least privilege for service accounts.

Enforcing multi‑factor authentication for all interactive logins and restricting local logon rights to trusted administrators can reduce the impact of a successful local privilege escalation attempt. Continuous monitoring of ADFS event logs for abnormal token issuance or repeated failed authentication attempts will help detect exploitation efforts early.

It is also prudent to audit ADFS endpoint configuration, disabling any unused or legacy authentication mechanisms that could widen the attack surface. Before rolling out the updates to production, testing the patches in a staging environment that mirrors the federation farm configuration helps avoid unintended service disruptions.

Finally, organisations should verify that BitLocker recovery keys are stored securely and that the CVE-2026-50661 fix is applied, even though its severity is lower, to close any potential chaining paths. Staying informed through official vendor advisories and the CISA KEV feed remains the most reliable way to track emerging threats.

Intelligence briefing updated Jul 14, 2026

CVE-2026-56155 7.8 KEV CVE-2026-50661 6.1 CVE-2026-56164 5.3 KEV
Root sourcewww.cisa.gov
Timeline Coverage

Swipe to explore timeline