Back to Intelligence

CVE-2026-56155: Microsoft AD FS Access Control Vulnerability — CISA KEV and Defensive Response

SA
Security Arsenal Team
July 14, 2026
7 min read

Introduction

On July 14, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-56155 to the Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Microsoft Active Directory Federation Services (AD FS), a critical identity component used by organizations to enable single sign-on (SSO) and identity federation across enterprise boundaries.

CISA has confirmed active exploitation in the wild. The vulnerability, classified as "Insufficient Granularity of Access Control," allows an authenticated, local attacker to elevate their privileges. Given the role of AD FS in issuing security tokens, a successful compromise could allow an attacker to manipulate trust relationships, forge tokens, or move laterally into the wider Active Directory environment. Under Binding Operational Directive (BOD) 26-04, federal agencies have a deadline to remediate this vulnerability, but private sector organizations must treat this with equal urgency.

Technical Analysis

Affected Component: Microsoft Active Directory Federation Services (AD FS).

Vulnerability Type: Insufficient Granularity of Access Control (CWE-1220 / Privilege Escalation).

CVE Identifier: CVE-2026-56155.

Exploitation Requirements: An attacker must already have valid credentials and local access to the AD FS server. This threat profile is particularly concerning for environments where the AD FS server is not sufficiently segmented from the internal network or where multi-factor authentication (MFA) is not enforced for local administrative logins.

Impact: An authenticated attacker can exploit this flaw to elevate privileges from a standard user context to a higher privilege context (e.g., Local System or Administrator). Since AD FS servers hold the federation signing keys, privilege escalation on this host effectively grants the attacker the ability to create valid SAML tokens for any federated service, potentially leading to full identity compromise of the organization's cloud and on-premises resources.

Exploitation Status: Confirmed Active Exploitation (CISA KEV).

Detection & Response

Detecting local privilege escalation on AD FS servers requires a focus on integrity monitoring and audit logging for security-sensitive operations. Since this vulnerability allows an authorized user to gain unauthorized rights, defenders must look for anomalous process execution, privilege assignment, or modifications to the AD FS configuration database.

SIGMA Rules

The following Sigma rules target suspicious activity indicative of privilege escalation or AD FS configuration manipulation.

YAML
---
title: Potential AD FS Privilege Escalation via Sensitive Privilege Assignment
id: 8a1c2b3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the assignment of sensitive privileges (e.g., SeDebugPrivilege) to a non-system account on AD FS servers, which may indicate exploitation of access control vulnerabilities.
references:
  - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4672
  filter_legit_system:
    SubjectUserName|contains:
      - 'SYSTEM'
      - 'LOCAL SERVICE'
      - 'NETWORK SERVICE'
      - 'ADMINISTRATOR'
  filter_legit_groups:
    SubjectLogonId: '0x3e7' # Local System
  condition: selection and not 1 of filter_legit_*
falsepositives:
  - Legitimate administrative activity by domain admins
level: high
---
title: AD FS Configuration Database Modification via PowerShell
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects attempts to modify the AD FS configuration using the Microsoft.IdentityServer.PowerShell module by non-administrative users.
references:
  - https://learn.microsoft.com/en-us/powershell/module/adfs/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.persistence
  - attack.t1547.012
logsource:
  category: process_creation
  product: windows
detection:
  selection_module:
    CommandLine|contains:
      - 'Import-Module Microsoft.IdentityServer.PowerShell'
      - 'Add-AdfsRelyingPartyTrust'
      - 'Set-AdfsClaimsProviderTrust'
  selection_user:
    SubjectUserName|contains:
      - 'ADFS$'
      - 'Svc_ADFS'
  condition: selection_module and not selection_user
falsepositives:
  - Authorized AD FS administration
level: high
---
title: Access to AD FS Configuration Artifacts
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects access to the AD FS configuration directory or key export files by unusual processes.
references:
  - https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.t1003
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4663
    ObjectType|contains:
      - 'FileObject'
      - 'Key'
    ObjectName|contains:
      - 'C:\Windows\ADFS'
      - 'C:\Program Files\Active Directory Federation Services'
      - 'Microsoft.IdentityServer.Servicehost.exe.config'
  filter:
    SubjectUserName|endswith: '$'
  condition: selection and not filter
falsepositives:
  - Backup software accessing ADFS config
  - Legitimate admin access
level: medium

KQL (Microsoft Sentinel / Defender)

Use the following KQL query to hunt for suspicious privilege usage and process execution on AD FS servers.

KQL — Microsoft Sentinel / Defender
// Hunt for sensitive privilege assignments and AD FS related process anomalies
let ADFSServers = DeviceProcessEvents 
  | where ProcessName has @"Microsoft.IdentityServer.Servicehost.exe" 
  | summarize by DeviceName;
SecurityEvent 
  | where DeviceName in (ADFSServers) 
  | where (EventID == 4672 and SubjectUserName !contains "$" and SubjectUserName !in ("Administrator", "DOMAIN ADMINS")) 
      or (EventID == 4688 and NewProcessName contains @"powershell.exe" and CommandLine contains @"Microsoft.IdentityServer") 
  | project TimeGenerated, DeviceName, SubjectUserName, EventID, NewProcessName, CommandLine, SubjectLogonId 
  | order by TimeGenerated desc

Velociraptor VQL

This Velociraptor artifact hunts for processes interacting with AD FS binaries or accessing sensitive configuration directories.

VQL — Velociraptor
-- Hunt for AD FS Configuration Access and Anomalous Processes
SELECT Process.Name AS ProcessName,
       Process.Pid,
       Process.Cmdline AS CommandLine,
       Process.Username,
       Process.Exe,
       Process.Ctime
FROM pslist()
WHERE Exe =~ "Microsoft.IdentityServer"
   OR Cmdline =~ "Import-Module.*Microsoft.IdentityServer"
   OR Username =~ ".*\\Adfs.*"

Remediation Script (PowerShell)

This script assists in verifying the current state of the AD FS service and checking for the presence of the specific vulnerability indicators, while enforcing baseline security.

PowerShell
# Remediation and Hardening Script for CVE-2026-56155
# Requires Administrator Privileges

Write-Host "[+] Starting AD FS Security Assessment for CVE-2026-56155..." -ForegroundColor Cyan

# 1. Check if AD FS Role is installed
$adfsService = Get-Service -Name ADFS -ErrorAction SilentlyContinue

if ($null -eq $adfsService) {
    Write-Host "[-] AD FS Service not found on this host. Exiting." -ForegroundColor Yellow
    exit 0
} else {
    Write-Host "[+] AD FS Service detected (Status: $($adfsService.Status))." -ForegroundColor Green
}

# 2. Verify Patching Compliance (Generic Check - Update with specific KB from Vendor Advisory)
Write-Host "[+] Checking installed updates for recent security patches..."
$hotfixes = Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-60) }

if ($hotfixes) {
    Write-Host "[+] Recent patches found:" -ForegroundColor Green
    $hotfixes | Format-Table HotFixID, InstalledOn -AutoSize
} else {
    Write-Host "[!] No recent patches found in the last 60 days. Verify CVE-2026-56155 patch manually." -ForegroundColor Red
}

# 3. Audit AD FS Service Account Permissions
# Ensure the service account is not overly privileged (e.g., should not be a Domain Admin)
Write-Host "[+] Auditing AD FS Service Account..."
$adfsConfig = Get-WmiObject -Namespace root/ADFS -Class SecurityTokenServiceProperty -ErrorAction SilentlyContinue

if ($adfsConfig) {
    $serviceAccount = $adfsConfig.ServiceAccountName
    Write-Host "[+] AD FS Service Account: $serviceAccount" -ForegroundColor Cyan
    
    # Check group membership (Basic check)
    $groupMembership = (Get-ADPrincipalGroupMembership -Identity $serviceAccount).Name
    if ($groupMembership -contains "Domain Admins" -or $groupMembership -contains "Enterprise Admins") {
        Write-Host "[!] CRITICAL: AD FS Service Account is a member of a privileged group." -ForegroundColor Red
    } else {
        Write-Host "[+] Service account does not appear to be a Domain Admin." -ForegroundColor Green
    }
}

# 4. Enable Advanced Auditing for AD FS
Write-Host "[+] Ensuring Advanced Audit Policy is enabled for Logon/Privilege Use..."
auditpol /set /subcategory:"Logon" /success:enable /failure:enable | Out-Null
auditpol /set /subcategory:"Privilege Use" /success:enable /failure:enable | Out-Null
Write-Host "[+] Audit policies updated." -ForegroundColor Green

Write-Host "[+] Assessment complete. Please apply the specific security update for CVE-2026-56155 immediately." -ForegroundColor Cyan

Remediation

  1. Apply Security Updates: Immediately review the official Microsoft Security Advisory for CVE-2026-56155 and apply the required cumulative update to all AD FS servers. Ensure that Windows Server is fully patched against the latest vulnerabilities.

  2. CISA BOD 26-04 Compliance: Per CISA's Binding Operational Directive 26-04, this vulnerability requires immediate remediation due to active exploitation. Federal agencies have specific deadlines; all organizations should treat this as an emergency patch cycle.

  3. Validate Configuration: Post-patching, verify that the AD FS configuration has not been altered. Review the list of relying party trusts and claims provider trusts for any unauthorized additions.

  4. Review Access Controls: Conduct a thorough review of who has local administrative access to AD FS servers. Ensure that the principle of least privilege is enforced and that local administrator rights are tightly controlled.

  5. Forensic Triage: If exploitation is suspected, refer to CISA's "Forensics Triage Requirements" for indicators of compromise (IoCs) specific to this campaign. Isolate affected AD FS servers immediately and rotate the AD FS signing certificates if there is any evidence of credential dumping or token manipulation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cve-2026-56155criticalcisa-kevactively-exploitedcvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.