cognitive cybersecurity intelligence

News and Analysis

Search

Microsoft Active Directory Services 0-Day Vulnerability Actively Exploited in the Wild

Microsoft Active Directory Services 0-Day Vulnerability Actively Exploited in the Wild

Microsoft has released security updates for CVE-2026-56155, an actively exploited elevation-of-privilege vulnerability in Active Directory Federation Services (AD FS).

This flaw allows an authenticated local attacker with low privileges to gain administrator-level access on affected systems.

CVE-2026-56155 stems from insufficient granularity in access control within AD FS, a Microsoft service commonly utilized by organizations for single sign-on and federated authentication.

Microsoft has assigned this vulnerability an Important severity rating and confirmed that exploitation has been observed in the wild.

The vulnerability has a CVSS 3.1 base score of 7.8, with an exploitability assessment indicating the presence of functional exploit code. The attack vector is rated as local, requiring low complexity, low privileges, and no user interaction.

While an attacker must already have authenticated access to a vulnerable host, successful exploitation can fully compromise the confidentiality, integrity, and availability of that system.

AD Services 0-Day Vulnerability Exploited

Once an attacker successfully exploits CVE-2026-56155, they could gain administrator privileges, making this flaw particularly significant in enterprise environments where AD FS infrastructure connects to Active Directory domains, identity services, and sensitive applications.

AD FS servers are prime targets because they process authentication requests and issue security tokens for access to corporate services.

An attacker with local administrative access to an AD FS server could alter federation settings, access sensitive authentication materials, turn off security controls, or use the compromised host as a launch point for further network intrusions.

This weakness is classified under CWE-1220, which pertains to insufficient granularity of access control. This category addresses instances where software fails to apply authorization restrictions at the necessary level of detail, allowing users with limited rights to perform actions that should require stronger permissions.

Microsoft released fixes for a wide range of affected Windows versions on July 14, 2026. Supported systems include Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, along with relevant Server Core deployments.

Security updates are also available for older Windows 10 versions that share affected platform components. Organizations using AD FS should prioritize deploying Microsoft’s July security updates, especially on federation servers exposed to administrative users or connected to critical identity infrastructure.

Administrators should ensure that the relevant cumulative or security-only updates have been installed and confirm the updated build number after patching.

Security teams should also review changes to the local administrator group, monitor unusual process executions on AD FS servers, and investigate unexpected modifications to federation configurations and authentication-related events that could indicate follow-on activity.

Since exploitation requires local authenticated access, reducing unnecessary local privileges and monitoring privileged logins can help limit exposure until all affected systems are patched.

Microsoft credited Jeremy Kingston and Scott Clark from its Detection and Response Team (DART) for reporting the issue.

The company has not publicly disclosed the technical details of the exploit, which may help defenders gain additional time to patch while attacks are still being observed.

Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.
The post Microsoft Active Directory Services 0-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts