CVE-2026-56155: Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
Summary
A vulnerability in Microsoft Active Directory Federation Services (AD FS) allows an authorized local attacker to escalate privileges due to insufficient granularity of access control. Microsoft has provided mitigations, and CISA has mandated federal agencies to apply these updates by July 28, 2026.
IFF Assessment
This vulnerability allows for privilege escalation, which is a significant advantage for an attacker and a detriment to defenders.
Severity
The vulnerability allows a local attacker to gain elevated privileges, which is a critical impact. The attack vector is local, but the ability to escalate privileges from an authorized user makes it a significant risk.
CISA KEV: Listed as actively exploited. Federal patch due: July 28, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability in AD FS could allow an attacker with initial local access to gain higher privileges, potentially leading to further compromise of sensitive systems and data. Defenders should prioritize patching this vulnerability according to CISA's guidance and monitor for any unusual privilege escalation attempts within their AD FS environment.