CISA added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog after reports of active exploitation against Microsoft Active Directory Federation Services (AD FS). The flaw is an elevation-of-privilege vulnerability caused by insufficient granularity of access control, mapped to CWE-1220, and allows an authorized attacker to elevate privileges locally on affected systems.
Microsoft rated the issue High with a CVSS v3.1 score of 7.8 and said it affects multiple supported Windows and Windows Server versions running AD FS, with patched builds available. CISA said ransomware use is unknown, directed organizations to apply Microsoft’s mitigations and follow associated forensic triage guidance, and set a 2026-07-28 remediation deadline for federal agencies under BOD 26-04.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
CISA added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog, indicating the Microsoft AD FS flaw has been exploited in the wild. CISA directed organizations to apply vendor mitigations and set a remediation due date of 2026-07-28.
A new CVE record was published for CVE-2026-56155, an elevation-of-privilege vulnerability in Microsoft Active Directory Federation Services caused by insufficient granularity of access control. The record states patched Microsoft builds are available and rates the issue High severity with CVSS 7.8.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.