[KEV] CVE-2026-56155 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-56155 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-56155 is a local privilege escalation vulnerability in Microsoft Active Directory Federation Services (AD FS), caused by insufficient granularity of access control within the service.
Technical Detail
The flaw stems from inadequate access control enforcement within AD FS, allowing an already-authenticated local attacker to escalate their privileges beyond their intended permission level. An attacker with existing local access to a system running AD FS can exploit this control gap to gain elevated privileges, potentially achieving administrative or SYSTEM-level access. The precise escalation path and internal component affected have not been fully disclosed publicly, but the vulnerability class indicates a failure to properly restrict privileged operations to authorized roles or contexts.
Exploitation Status
CISA has confirmed active exploitation in the wild, adding this CVE to the Known Exploited Vulnerabilities catalog on July 14, 2026. The exploit maturity is rated Operational, meaning a functional exploit capable of reliable use in real-world attacks exists and is being actively leveraged. This is not limited to proof-of-concept demonstrations; the exploit is in practical use by threat actors.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE in available intelligence sources.
What To Do
Apply the relevant Microsoft security update for Active Directory Federation Services immediately. Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability by the deadline specified in the KEV entry, which was added July 14, 2026. Organizations should treat this as a high-priority patch regardless of the CVSS score of 0.0, which likely reflects an incomplete or pending scoring assessment rather than low actual risk, given confirmed active exploitation. Until patching is complete, restrict local access to AD FS servers to the minimum necessary personnel, audit local account privileges on AD FS hosts, and monitor for anomalous privilege escalation events in Windows Security event logs, particularly Event IDs 4672 and 4673 indicating sensitive privilege use.