Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability: actively exploited vulnerability added to CISA KEV

Confirmed
Discovered Jul 14, 2026

CISA added CVE-2026-56155 affecting Microsoft Active Directory Federation Services (AD FS) to the Known Exploited Vulnerabilities catalog on 2026-07-14. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.

15
Affected Packages
3
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
windows_server_2012_r2_server_core_installation, windows_server_2012_r2, windows_server_2012_server_core_installation, windows_server_2012
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
Microsoft
CVE-2026-56155
Active Directory Federation Services (AD FS)

Analysis

Executive Summary

CISA added CVE-2026-56155 for Microsoft Active Directory Federation Services (AD FS) to the Known Exploited Vulnerabilities catalog on 2026-07-14, which is the active-exploitation gate for this Halting Problems entry [1]. Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally. [2]

This entry is intentionally evidence-conservative. The public sources reviewed for this automated refresh provide active-exploitation status, product identity, fixed-version or hotfix evidence where available, and vulnerability metadata, but they do not publish attacker-controlled infrastructure, file hashes, victim counts, or a campaign name. Source and advisory URLs are therefore kept as source selectors rather than IOC values.

Key Facts

CVE: CVE-2026-56155

Vendor: Microsoft

Product: Active Directory Federation Services (AD FS)

KEV Added: 2026-07-14

KEV Due Date: 2026-07-28

Affected / Fixed Version Selectors:

  • windows_server_2012_r2_server_core_installation < 6.3.9600.23291
  • windows_server_2012_r2 < 6.3.9600.23291
  • windows_server_2012_server_core_installation < 6.2.9200.26226
  • windows_server_2012 < 6.2.9200.26226
  • windows_server_2016_server_core_installation < 10.0.14393.9339
  • windows_server_2016 < 10.0.14393.9339
  • windows_10_version_1607_for_x64_based_systems < 10.0.14393.9339
  • windows_10_version_1607_for_32_bit_systems < 10.0.14393.9339
  • windows_server_2025 < 10.0.26100.33158
  • windows_server_2025_server_core_installation < 10.0.26100.33158
  • windows_server_2022 < 10.0.20348.5386
  • windows_server_2019_server_core_installation < 10.0.17763.9020
  • windows_server_2019 < 10.0.17763.9020
  • windows_10_version_1809_for_x64_based_systems < 10.0.17763.9020
  • windows_10_version_1809_for_32_bit_systems < 10.0.17763.9020

CVSS: 7.8 HIGH

Evidence Assessment

Analysis table
ClaimStatusEvidence
CISA lists CVE-2026-56155 as exploited in the wild for Microsoft Active Directory Federation Services (AD FS).confirmedCISA KEV entries name Microsoft and Active Directory Federation Services (AD FS) and record date added 2026-07-14 [1].
Vendor or NVD sources describe the vulnerability and affected product family.confirmedVendor/NVD enrichment reviewed in this run provides the description, severity, and affected/fixed selectors summarized above [2].
Public sources identify attacker infrastructure, hashes, or campaign attribution.not_observedCISA KEV, NVD, and linked vendor references reviewed during this run do not publish those IOC classes.

Impact Determination

Treat internet-exposed, identity-integrated, or administrative Active Directory Federation Services (AD FS) systems as high-priority until version and mitigation evidence are captured. Affected systems require product log review, host-level timeline preservation, and a post-fix scan. If exploitation succeeded, defenders should decide whether sessions, API keys, service credentials, or product-managed secrets could have been accessed or abused from the compromised host.

Detection and Hunting

The reviewed hunt manifest ships with scripts/scope_microsoft-adfs-cve-2026-56155-kev.py. It scans asset inventories and exported logs for CVE-2026-56155, Microsoft, Active Directory Federation Services (AD FS), affected/fixed-version selectors, and product-specific telemetry patterns from the sources. Use it against CMDB exports, scanner exports, EDR file/log bundles, web server logs, appliance logs, product logs, and incident evidence collected in a forensics-safe workspace.

Positive findings are scope signals, not proof of compromise. Escalate to product-specific IR by preserving UTC timelines, snapshots or hashes of relevant configs and logs, evidence owner, collection time, and chain-of-custody notes.

Remediation and Recovery Gates

  1. Confirm whether each Active Directory Federation Services (AD FS) instance is affected by matching deployed version evidence against vendor/NVD ranges.
  2. Apply the vendor fixed release, hotfix, or documented mitigation, then capture before/after version proof.
  3. Run a post-fix scan and keep the result with the incident record.
  4. Review product logs and host telemetry for exploit success, persistence, new users, changed configuration, suspicious scheduled tasks, web shells, or unexpected outbound access.
  5. Make a credential/session rotation decision based on whether exploitation reached secrets, sessions, SSO/OIDC material, API keys, or product-managed credentials.
  6. Monitor for recurrence after recovery.

Indicators of Compromise

No attacker-controlled domains, URLs, hashes, or IP addresses were published by the sources reviewed for this entry. Machine-readable IOC fields are intentionally empty for those classes.

Open Questions

  • Which exploitation clusters are using CVE-2026-56155 in the wild?
  • Are there reliable product-specific log signatures beyond public vendor guidance and exposure scoping selectors?
  • Did vendor or researcher sources publish additional affected/fixed-version detail after this automated refresh?

Sources

Timeline

6 of 6 rows

Timeline
DateEventDescriptionSource
Jul 14, 2026First seenFirst seen recorded for Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability.msrc.microsoft.com
Jul 14, 2026DiscoveryDiscovery recorded for Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability.msrc.microsoft.com
Jul 14, 2026DisclosureDisclosure recorded for Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability.msrc.microsoft.com
Jul 14, 2026Patch or fixPatch or fix recorded for Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability.msrc.microsoft.com
Jul 28, 2026kev due datekev due date recorded for Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability.msrc.microsoft.com
Jul 14, 2026Microsoft Active Directory Federation Services CVE-2026-56155 actively exploited vulnerability: actively exploited vulnerability added to CISA KEVUnknownmsrc.microsoft.com

Affected Software

15 of 15 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
windows_server_2012_r2_server_core_installationenterprise-software< 6.3.9600.23291Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2012_r2enterprise-software< 6.3.9600.23291Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2012_server_core_installationenterprise-software< 6.2.9200.26226Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2012enterprise-software< 6.2.9200.26226Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2016_server_core_installationenterprise-software< 10.0.14393.9339Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2016enterprise-software< 10.0.14393.9339Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_10_version_1607_for_x64_based_systemsenterprise-software< 10.0.14393.9339Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_10_version_1607_for_32_bit_systemsenterprise-software< 10.0.14393.9339Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2025enterprise-software< 10.0.26100.33158Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2025_server_core_installationenterprise-software< 10.0.26100.33158Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2022enterprise-software< 10.0.20348.5386Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2019_server_core_installationenterprise-software< 10.0.17763.9020Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_server_2019enterprise-software< 10.0.17763.9020Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_10_version_1809_for_x64_based_systemsenterprise-software< 10.0.17763.9020Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov
windows_10_version_1809_for_32_bit_systemsenterprise-software< 10.0.17763.9020Malicious90%msrc.microsoft.com; cisa.gov; api.msrc.microsoft.com; nvd.nist.gov

IOC Clipboard

3 IOCs
commandMicrosoft
commandCVE-2026-56155
commandActive Directory Federation Services (AD FS)

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
CVE-2026-56155 asset and telemetry scopePythonDo inventories/logs contain CVE-2026-56155, Microsoft, Active Directory Federation Services (AD FS), affected-version, or telemetry selectors?scripts/scope_microsoft-adfs-cve-2026-56155-kev.py opens in a new tabmsrc.microsoft.com

Hunt Manifest: CVE-2026-56155 asset and telemetry scope

Title
CVE-2026-56155 asset and telemetry scope
Question
Do inventories/logs contain CVE-2026-56155, Microsoft, Active Directory Federation Services (AD FS), affected-version, or telemetry selectors?
Telemetry Family
Python
Repository
scripts/scope_microsoft-adfs-cve-2026-56155-kev.py
Show tested hunting scriptscripts/scope_microsoft-adfs-cve-2026-56155-kev.py
scripts/scope_microsoft-adfs-cve-2026-56155-kev.py opens in a new tabPython
#!/usr/bin/env python3
"""Scope CVE-2026-56155 exposure from local inventories and exported logs."""
from __future__ import annotations
import json, os, sys
from pathlib import Path
CVE_IDS=['CVE-2026-56155']
VENDOR='Microsoft'
PRODUCT='Active Directory Federation Services (AD FS)'
AFFECTED_VERSION_SELECTORS=['windows_server_2012_r2_server_core_installation < 6.3.9600.23291', 'windows_server_2012_r2 < 6.3.9600.23291', 'windows_server_2012_server_core_installation < 6.2.9200.26226', 'windows_server_2012 < 6.2.9200.26226', 'windows_server_2016_server_core_installation < 10.0.14393.9339', 'windows_server_2016 < 10.0.14393.9339', 'windows_10_version_1607_for_x64_based_systems < 10.0.14393.9339', 'windows_10_version_1607_for_32_bit_systems < 10.0.14393.9339', 'windows_server_2025 < 10.0.26100.33158', 'windows_server_2025_server_core_installation < 10.0.26100.33158', 'windows_server_2022 < 10.0.20348.5386', 'windows_server_2019_server_core_installation < 10.0.17763.9020', 'windows_server_2019 < 10.0.17763.9020', 'windows_10_version_1809_for_x64_based_systems < 10.0.17763.9020', 'windows_10_version_1809_for_32_bit_systems < 10.0.17763.9020']
SOURCE_SELECTORS=['https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json', 'https://nvd.nist.gov/vuln/detail/CVE-2026-56155', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155', 'https://api.msrc.microsoft.com/sug/v2.0/en-US/affectedProduct?$filter=cveNumber%20eq%20%27CVE-2026-56155%27', 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-56155']
DOMAINS=[]; HASHES=[]; URLS=[]; FILES=[]; NETWORK_PATTERNS=[]
PROCESS_PATTERNS=['Active Directory Federation Services (AD FS)', 'Microsoft', 'CVE-2026-56155']
PRODUCT_TELEMETRY_PATTERNS=['AD FS', 'administrator privileges', 'Security Update', 'Monthly Rollup']
INDICATORS=list(dict.fromkeys(CVE_IDS+[VENDOR,PRODUCT]+AFFECTED_VERSION_SELECTORS+SOURCE_SELECTORS+PRODUCT_TELEMETRY_PATTERNS))
OUT=os.environ.get('OUT','hp-microsoft-adfs-cve-2026-56155-kev-scope')
TEXT_SUFFIXES={'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.conf','.ini','.md'}
EXCLUDED_DIR_NAMES={'.git','node_modules','vendor','dist','__pycache__','.venv'}
def read_text(path: Path)->str:
    try: return path.read_text(encoding='utf-8', errors='ignore')
    except Exception: return ''
def iter_files(root: Path):
    if root.is_file(): yield root; return
    for p in root.rglob('*'):
        if p.is_file() and not any(part in EXCLUDED_DIR_NAMES for part in p.parts):
            if not p.suffix or p.suffix.lower() in TEXT_SUFFIXES: yield p
def scan(root: Path):
    matches=[]; lowered=[s.lower() for s in INDICATORS if s]
    for path in iter_files(root):
        low=read_text(path).lower(); hits=sorted({INDICATORS[i] for i,s in enumerate(lowered) if s in low})
        if hits: matches.append({'path':str(path),'hits':hits})
    return matches
def main(argv=None):
    argv=argv or sys.argv[1:]; root=Path(argv[0]) if argv else Path('.')
    matches=scan(root); out_dir=Path(OUT); out_dir.mkdir(parents=True, exist_ok=True)
    report={'cves':CVE_IDS,'vendor':VENDOR,'product':PRODUCT,'affected_version_selectors':AFFECTED_VERSION_SELECTORS,'match_count':len(matches),'matches':matches}
    (out_dir/'scope_report.json').write_text(json.dumps(report,indent=2),encoding='utf-8')
    print(json.dumps({'cves':CVE_IDS,'match_count':len(matches),'report':str(out_dir/'scope_report.json')},indent=2))
    return 2 if matches else 0
if __name__=='__main__': raise SystemExit(main())

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
msrc.microsoft.comSecurity Researcher95%1CISA added CVE-2026-56155 affecting Microsoft Active Directory Federation Services (AD FS) to the Known Exploited Vulnerabilities catalog on 2026-07-14. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
cisa.govSecurity Researcher95%2CISA added CVE-2026-56155 affecting Microsoft Active Directory Federation Services (AD FS) to the Known Exploited Vulnerabilities catalog on 2026-07-14. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
api.msrc.microsoft.comSecurity Researcher95%1CISA added CVE-2026-56155 affecting Microsoft Active Directory Federation Services (AD FS) to the Known Exploited Vulnerabilities catalog on 2026-07-14. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
nvd.nist.govSecurity Researcher95%1CISA added CVE-2026-56155 affecting Microsoft Active Directory Federation Services (AD FS) to the Known Exploited Vulnerabilities catalog on 2026-07-14. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.