CVE-2026-56155: Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability

Summary

A vulnerability in Microsoft Active Directory Federation Services (AD FS) allows an authorized local attacker to escalate privileges due to insufficient granularity of access control. Microsoft has provided mitigations, and CISA has mandated federal agencies to apply these updates by July 28, 2026.

IFF Assessment

FOE

This vulnerability allows for privilege escalation, which is a significant advantage for an attacker and a detriment to defenders.

Severity

7.8 High

The vulnerability allows a local attacker to gain elevated privileges, which is a critical impact. The attack vector is local, but the ability to escalate privileges from an authorized user makes it a significant risk.

CISA KEV: Listed as actively exploited. Federal patch due: July 28, 2026. Known ransomware use: Unknown.

Defender Context

This vulnerability in AD FS could allow an attacker with initial local access to gain higher privileges, potentially leading to further compromise of sensitive systems and data. Defenders should prioritize patching this vulnerability according to CISA's guidance and monitor for any unusual privilege escalation attempts within their AD FS environment.

Read Full Story →