Executive Summary
A high-severity elevation-of-privilege vulnerability in Active Directory Federation Services (AD FS) is being actively exploited in the wild. CVE-2026-56155, patched by Microsoft on July 8, 2026 as part of July Patch Tuesday, enables a locally authorized attacker to read Distributed Key Manager (DKM) material and forge SAML tokens — a "Golden SAML" attack class capable of compromising entire hybrid identity environments.
CVSS Score: 7.8 (HIGH)
CISA added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog on July 14, 2026, alongside two SonicWall flaws and a SharePoint zero-day — four exploited bugs added to KEV on a single day. Federal agencies must patch or discontinue use by July 28, 2026 under BOD 26-04.
Discovery is credited to Jeremy Kingston and Scott Clark of Microsoft's Detection and Response Team (DART), strongly suggesting the vulnerability was identified during active incident response to real-world intrusions.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-56155 |
| CVSS Score | 7.8 (HIGH) |
| Type | Insufficient Granularity of Access Control / Elevation of Privilege |
| Component | Active Directory Federation Services — DKM Container |
| Attack Vector | Local (requires existing foothold) |
| Privileges Required | Low (local authorization) |
| User Interaction | None |
| Patch Available | Yes — July 2026 Patch Tuesday |
| CISA KEV | Yes — added July 14, 2026 |
Technical Analysis
The Root Cause: DKM Container ACL Misconfig
AD FS uses the Distributed Key Manager (DKM) — a component built on Active Directory — to protect the private keys for token-signing and token-encryption certificates. These certificates are the foundation of all SAML-based trust between the federation service and relying parties (Azure AD, Microsoft 365, SaaS applications, etc.).
The vulnerability exists when the Access Control List on the DKM container is insufficiently restrictive. A locally authorized attacker who gains even a limited foothold on a domain-joined system can:
- Enumerate the DKM container location in Active Directory
- Read the DKM encryption material due to the permissive ACL
- Decrypt the protected AD FS token-signing private key
- Use the extracted key to forge arbitrary SAML 2.0 assertions
The Golden SAML Attack
Forging SAML tokens with a stolen AD FS signing key is a well-documented but catastrophically effective technique sometimes called "Golden SAML" — analogous to a Kerberos Golden Ticket in traditional AD environments.
Attack Chain:
1. Attacker gains initial access (phishing, credential stuffing, etc.)
2. Foothold provides limited local authorization on a domain-joined system
3. Attacker enumerates AD FS DKM container path in Active Directory
4. CVE-2026-56155: Permissive ACL allows DKM material read
5. Attacker extracts and decrypts AD FS token-signing private key
6. Attacker forges SAML assertions for any user, any claims, any role
7. Azure AD, M365, and federated SaaS apps accept forged tokens
8. Lateral movement to cloud resources with no password or MFA requiredWhy This Is Dangerous in Hybrid Environments
In pure on-premises environments, damage is limited to what SAML-federated services trust. In hybrid Azure AD environments — which describe the majority of enterprise Microsoft deployments — a forged token can provide full access to:
- Microsoft 365 (Exchange Online, Teams, SharePoint Online)
- Azure management plane (if AD FS is used for Azure auth)
- Any third-party SaaS applications relying on the federation trust
- Privileged Identity Management escalation paths in Entra ID
Critically, forged SAML tokens bypass MFA entirely — the authentication step is skipped because the token itself is accepted as proof of authenticated identity. This makes Golden SAML attacks particularly useful for nation-state actors and advanced persistent threat groups targeting hybrid environments.
Affected Products
| Product | Affected |
|---|---|
| Windows Server 2012 — AD FS | Yes |
| Windows Server 2012 R2 — AD FS | Yes |
| Windows Server 2016 — AD FS | Yes |
| Windows Server 2019 — AD FS | Yes |
| Windows Server 2022 — AD FS | Yes |
| Windows Server 2025 — AD FS | Yes |
| Windows Server Core variants | Yes |
| Azure AD (cloud-only) | Not affected |
| Entra External ID / B2C | Not affected |
Timeline
| Date | Event |
|---|---|
| Pre-July 2026 | Active exploitation begins in the wild |
| July 8, 2026 | Microsoft releases fix via July 2026 Patch Tuesday |
| July 14, 2026 | CISA adds CVE-2026-56155 to KEV catalog |
| July 28, 2026 | Federal agency remediation deadline (BOD 26-04) |
Immediate Remediation
Step 1: Apply July 2026 Patch Tuesday Updates
Apply all July 2026 Windows Server security updates to every server running Active Directory Federation Services:
# Check current Windows Update status
Get-WindowsUpdateLog
# Install updates via PowerShell (Server Core)
Install-WindowsUpdate -AcceptAll -AutoReboot
# Verify AD FS service version post-patch
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Federation*"}Or deploy via WSUS, MECM/SCCM, Microsoft Update, or your preferred patch management platform.
Step 2: Audit DKM Container ACLs
After patching, verify the ACL posture on your DKM container:
# Find the DKM container DN
$adfsConfig = Get-AdfsProperties
$dkmContainerDN = $adfsConfig.DkmContainerDN
# Review ACLs
$acl = Get-Acl -Path "AD:$dkmContainerDN"
$acl.Access | Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType | Format-Table -AutoSizeLook for any accounts beyond AD FS service accounts and Domain Admins having read rights to the DKM container. Remove any extraneous permissions.
Step 3: Assess for Existing Compromise
Because CISA only adds vulnerabilities to KEV upon confirmed in-the-wild exploitation, treat any unpatched AD FS server as potentially compromised. Alongside applying the patch:
# Check AD FS audit logs for unusual token issuance
Get-EventLog -LogName "AD FS/Admin" -EntryType Error, Warning -Newest 500
# Look for unusual SAML token recipients
Get-WinEvent -ProviderName "AD FS" | Where-Object {$_.Id -eq 1200} | Select-Object -First 50
# Check DKM container access audit events
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4662 -and $_.Message -like "*DKM*"}Step 4: Rotate AD FS Certificates (If Compromise Suspected)
If you have indicators of unauthorized DKM access:
# Force immediate certificate rollover
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
# Update all relying party trusts with new certificates
Update-AdfsRelyingPartyTrust -TargetIdentifier "<your-relying-party-id>"
# Revoke all outstanding tokens (requires resetting token issuance)
Set-AdfsProperties -TokenLifetime 1Detection Indicators
| Indicator | Log Source | Event ID |
|---|---|---|
| AD object read on DKM container | Windows Security Log | 4662 |
| LDAP queries for AD FS service configuration | Windows Security Log | 4661 |
| Unusual AD FS SAML token issuance (unexpected relying parties) | AD FS Admin Log | 1200, 1202 |
| Token issued for privileged users outside business hours | AD FS Admin Log | 1200 |
| AD FS service account accessing DKM from unusual host | Windows Security Log | 4624, 4634 |
Post-Remediation Checklist
- July 2026 Patch Tuesday applied to all AD FS servers
- DKM container ACLs audited and hardened
- AD FS audit logging enabled and reviewed
- No indicators of unauthorized DKM access found
- If IoCs found: AD FS certificates rotated; relying party trusts updated
- Federal agencies: remediation documented for BOD 26-04 compliance
- Ongoing: monitoring for anomalous SAML issuance in SIEM
References
- Microsoft Security Advisory — CVE-2026-56155
- CISA KEV Catalog — CVE-2026-56155
- July 2026 Patch Tuesday: Fix 2 Exploited AD FS and SharePoint Zero-Days
- Microsoft Patches Record 622 Flaws Including Two Zero-Days
- NVD — CVE-2026-56155