CVE-2026-56155 – Active Directory Federation Services Elevation of Privilege Vulnerability

CVSS 7.8 IMPORTANT Critical or Zero Day – Immediate Deployment

“When attackers turn ordinary user access into administrator control, a single compromised account can become the key to the entire environment.”

An insufficient granularity of access control vulnerability in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally. A successful attack could grant administrator privileges, enabling an attacker to gain complete control over the affected system. Microsoft has confirmed active exploitation of this vulnerability and released security updates for affected Windows client and server platforms.

CVSS Score: 7.8

SEVERITY: Important

THREAT:
This vulnerability affects Active Directory Federation Services by allowing a locally authenticated attacker with low privileges to elevate their permissions to administrator level. Once elevated, an attacker could execute privileged commands, modify system settings, install malicious software, create additional administrative accounts, or disable security controls. Because AD FS is commonly used for identity and authentication services, successful exploitation can have significant security implications.

EXPLOITS:
Microsoft confirms that active exploitation has been detected. The vulnerability was not publicly disclosed before the security update, but attackers are known to be exploiting it in the wild. The provided information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by insufficient granularity of access control (CWE-1220) within Active Directory Federation Services. Improper enforcement of authorization boundaries allows an authenticated local attacker with low privileges to gain administrator privileges. The vulnerability impacts the confidentiality, integrity, and availability of affected systems, giving an attacker broad control once exploitation is successful.

EXPLOITABILITY:
Affected products include Windows 10 Version 1607 and Version 1809, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including applicable Server Core installations listed in Microsoft’s advisory. Exploitation requires local access and a low-privileged authenticated account but does not require user interaction.

BUSINESS IMPACT:
Privilege escalation vulnerabilities pose a serious risk because they allow attackers who have already gained limited access to take complete control of affected systems. In environments using AD FS for authentication and identity services, administrator-level compromise can lead to unauthorized access to sensitive business resources, disruption of critical services, deployment of ransomware, theft of credentials, and broader compromise of enterprise infrastructure.

WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends deploying the appropriate security updates to eliminate the vulnerability.

URGENCY:
This vulnerability should be prioritized because Microsoft has confirmed active exploitation in the wild. Although local access is required, attackers who obtain an initial foothold can use this flaw to gain administrator privileges and significantly expand their control over affected systems. Organizations should prioritize patching AD FS servers and other affected systems that are accessible by users or administrators.

Key Details

Affected Product
Microsoft Windows 10 1607
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-1220
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.