CVE-2026-56155: Attackers Are Already Exploiting This ADFS Zero-Day. Patch Before They Find Your Server

Microsoft patched CVE-2026-56155 on July 14. This one is different from the other 569 flaws in this month's Patch Tuesday. It was actively exploited in the wild before the patch shipped. Microsoft's own Detection and Response Team (DART) discovered it during real incident response cases. That means real attackers found this bug, built exploits for it, and used them against real organizations before Microsoft even knew about it.
CVSS 7.8. CISA added it to the Known Exploited Vulnerabilities catalog immediately. Federal agencies have until July 21 to patch. You should move faster than that.
What the Bug Does
The vulnerability is in Active Directory Federation Services, specifically in how ADFS handles access control for locally authenticated users. A low-privileged user on an ADFS server can exploit insufficient granularity in the access control model to escalate to administrator.
In plain English: someone who already has a foot in the door (a standard domain user account, a compromised service account, or a web shell running as a low-privileged process) can turn that into full domain admin on an ADFS server.
ADFS is the authentication backbone for Office 365, Azure AD Connect, and most enterprise SSO deployments. If your ADFS server is compromised, the attacker is not just on one server. They are inside your identity provider. They can mint tokens for any user. They can impersonate your CEO. They can access every application federated through ADFS.
Why Microsoft DART Finding This Matters
Microsoft DART is the team that gets called when a Fortune 500 company is actively being breached. They do not find vulnerabilities by running static analysis tools on source code. They find them by responding to incidents and reverse-engineering what the attackers did.
CVE-2026-56155 was discovered because DART saw the same attack pattern across multiple customer engagements. The attackers had a technique for escalating from low-privileged access to ADFS admin that Microsoft's internal security tooling had not caught. The July 14 patch closes that technique.
This means the exploitation was not theoretical. Real organizations lost real data because of this bug. If you run ADFS and have not patched since July 14, you are vulnerable to the exact same technique.
What You Should Do Right Now
Patch immediately. The July 2026 cumulative update for Windows Server includes this fix. Apply it to every server running the ADFS role.
Audit ADFS admin groups. Check membership in the ADFS Administrators group and any custom role assignments. Look for accounts you do not recognize or accounts that were added recently.
Enable advanced auditing for ADFS. If you have not already configured ADFS auditing, do it now:
Set-AdfsProperties -AuditLevel Verbose
Review ADFS token issuance logs. Look for anomalies: tokens issued for high-privilege users outside business hours, tokens with unusual claim values, or tokens issued from IP addresses that do not match your ADFS proxy servers.
Check for unauthorized relying party trusts. An attacker who compromises ADFS can add new relying parties that accept tokens issued by your ADFS farm. Review the list:
Get-AdfsRelyingPartyTrust | Select Name, Identifier, Enabled
If you see anything you did not create, you have already been compromised.
The Bigger Picture: 570 Flaws, 3 Zero-Days
July 2026 Patch Tuesday is the largest in Microsoft's history. 570 vulnerabilities. Three zero-days actively exploited before patches shipped:
- CVE-2026-56155 - ADFS elevation of privilege (this one)
- CVE-2026-56164 - SharePoint Server elevation of privilege
- One publicly disclosed BitLocker bypass (CVE-2026-50661)
This volume is not a coincidence. Microsoft is now using AI-driven vulnerability discovery against its own codebase. The output is triple the previous record. Every Patch Tuesday from now on could drop 400 to 600 fixes. Your patching process needs to scale.
How ServerGurus Handles This
Our managed Windows infrastructure patched CVE-2026-56155 within hours of the July 14 release. Every ADFS server under management received the update before most admins finished reading the advisory.
If you run your own Windows servers, you need to patch, audit, and verify 570 fixes while also checking for signs of compromise from three actively exploited zero-days. If you run on our managed infrastructure, we did that for you before breakfast.
This is not about renting servers. It is about not being the organization that DART finds on the next incident response call.
Check if your servers are exposed with a free audit or learn about managed Windows hosting.