Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1896+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-56155: Microsoft AD FS Access Control Flaw Enables Golden SAML Attacks
CVE-2026-56155: Microsoft AD FS Access Control Flaw Enables Golden SAML Attacks
SECURITYHIGHCVE-2026-56155

CVE-2026-56155: Microsoft AD FS Access Control Flaw Enables Golden SAML Attacks

Microsoft's July 2026 Patch Tuesday fixes CVE-2026-56155, an actively exploited privilege escalation flaw in Active Directory Federation Services. Attackers exploit overly permissive ACLs on the DKM container to forge SAML tokens and compromise hybrid identity infrastructure. CISA added it to KEV with a July 28 federal deadline.

Dylan H.

Security Team

July 14, 2026
7 min read

Affected Products

  • Windows Server 2012 (AD FS)
  • Windows Server 2012 R2 (AD FS)
  • Windows Server 2016 (AD FS)
  • Windows Server 2019 (AD FS)
  • Windows Server 2022 (AD FS)
  • Windows Server 2025 (AD FS)

Executive Summary

A high-severity elevation-of-privilege vulnerability in Active Directory Federation Services (AD FS) is being actively exploited in the wild. CVE-2026-56155, patched by Microsoft on July 8, 2026 as part of July Patch Tuesday, enables a locally authorized attacker to read Distributed Key Manager (DKM) material and forge SAML tokens — a "Golden SAML" attack class capable of compromising entire hybrid identity environments.

CVSS Score: 7.8 (HIGH)

CISA added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog on July 14, 2026, alongside two SonicWall flaws and a SharePoint zero-day — four exploited bugs added to KEV on a single day. Federal agencies must patch or discontinue use by July 28, 2026 under BOD 26-04.

Discovery is credited to Jeremy Kingston and Scott Clark of Microsoft's Detection and Response Team (DART), strongly suggesting the vulnerability was identified during active incident response to real-world intrusions.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-56155
CVSS Score7.8 (HIGH)
TypeInsufficient Granularity of Access Control / Elevation of Privilege
ComponentActive Directory Federation Services — DKM Container
Attack VectorLocal (requires existing foothold)
Privileges RequiredLow (local authorization)
User InteractionNone
Patch AvailableYes — July 2026 Patch Tuesday
CISA KEVYes — added July 14, 2026

Technical Analysis

The Root Cause: DKM Container ACL Misconfig

AD FS uses the Distributed Key Manager (DKM) — a component built on Active Directory — to protect the private keys for token-signing and token-encryption certificates. These certificates are the foundation of all SAML-based trust between the federation service and relying parties (Azure AD, Microsoft 365, SaaS applications, etc.).

The vulnerability exists when the Access Control List on the DKM container is insufficiently restrictive. A locally authorized attacker who gains even a limited foothold on a domain-joined system can:

  1. Enumerate the DKM container location in Active Directory
  2. Read the DKM encryption material due to the permissive ACL
  3. Decrypt the protected AD FS token-signing private key
  4. Use the extracted key to forge arbitrary SAML 2.0 assertions

The Golden SAML Attack

Forging SAML tokens with a stolen AD FS signing key is a well-documented but catastrophically effective technique sometimes called "Golden SAML" — analogous to a Kerberos Golden Ticket in traditional AD environments.

Attack Chain:
1. Attacker gains initial access (phishing, credential stuffing, etc.)
2. Foothold provides limited local authorization on a domain-joined system
3. Attacker enumerates AD FS DKM container path in Active Directory
4. CVE-2026-56155: Permissive ACL allows DKM material read
5. Attacker extracts and decrypts AD FS token-signing private key
6. Attacker forges SAML assertions for any user, any claims, any role
7. Azure AD, M365, and federated SaaS apps accept forged tokens
8. Lateral movement to cloud resources with no password or MFA required

Why This Is Dangerous in Hybrid Environments

In pure on-premises environments, damage is limited to what SAML-federated services trust. In hybrid Azure AD environments — which describe the majority of enterprise Microsoft deployments — a forged token can provide full access to:

  • Microsoft 365 (Exchange Online, Teams, SharePoint Online)
  • Azure management plane (if AD FS is used for Azure auth)
  • Any third-party SaaS applications relying on the federation trust
  • Privileged Identity Management escalation paths in Entra ID

Critically, forged SAML tokens bypass MFA entirely — the authentication step is skipped because the token itself is accepted as proof of authenticated identity. This makes Golden SAML attacks particularly useful for nation-state actors and advanced persistent threat groups targeting hybrid environments.


Affected Products

ProductAffected
Windows Server 2012 — AD FSYes
Windows Server 2012 R2 — AD FSYes
Windows Server 2016 — AD FSYes
Windows Server 2019 — AD FSYes
Windows Server 2022 — AD FSYes
Windows Server 2025 — AD FSYes
Windows Server Core variantsYes
Azure AD (cloud-only)Not affected
Entra External ID / B2CNot affected

Timeline

DateEvent
Pre-July 2026Active exploitation begins in the wild
July 8, 2026Microsoft releases fix via July 2026 Patch Tuesday
July 14, 2026CISA adds CVE-2026-56155 to KEV catalog
July 28, 2026Federal agency remediation deadline (BOD 26-04)

Immediate Remediation

Step 1: Apply July 2026 Patch Tuesday Updates

Apply all July 2026 Windows Server security updates to every server running Active Directory Federation Services:

# Check current Windows Update status
Get-WindowsUpdateLog
 
# Install updates via PowerShell (Server Core)
Install-WindowsUpdate -AcceptAll -AutoReboot
 
# Verify AD FS service version post-patch
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Federation*"}

Or deploy via WSUS, MECM/SCCM, Microsoft Update, or your preferred patch management platform.

Step 2: Audit DKM Container ACLs

After patching, verify the ACL posture on your DKM container:

# Find the DKM container DN
$adfsConfig = Get-AdfsProperties
$dkmContainerDN = $adfsConfig.DkmContainerDN
 
# Review ACLs
$acl = Get-Acl -Path "AD:$dkmContainerDN"
$acl.Access | Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType | Format-Table -AutoSize

Look for any accounts beyond AD FS service accounts and Domain Admins having read rights to the DKM container. Remove any extraneous permissions.

Step 3: Assess for Existing Compromise

Because CISA only adds vulnerabilities to KEV upon confirmed in-the-wild exploitation, treat any unpatched AD FS server as potentially compromised. Alongside applying the patch:

# Check AD FS audit logs for unusual token issuance
Get-EventLog -LogName "AD FS/Admin" -EntryType Error, Warning -Newest 500
 
# Look for unusual SAML token recipients
Get-WinEvent -ProviderName "AD FS" | Where-Object {$_.Id -eq 1200} | Select-Object -First 50
 
# Check DKM container access audit events
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4662 -and $_.Message -like "*DKM*"}

Step 4: Rotate AD FS Certificates (If Compromise Suspected)

If you have indicators of unauthorized DKM access:

# Force immediate certificate rollover
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
 
# Update all relying party trusts with new certificates
Update-AdfsRelyingPartyTrust -TargetIdentifier "<your-relying-party-id>"
 
# Revoke all outstanding tokens (requires resetting token issuance)
Set-AdfsProperties -TokenLifetime 1

Detection Indicators

IndicatorLog SourceEvent ID
AD object read on DKM containerWindows Security Log4662
LDAP queries for AD FS service configurationWindows Security Log4661
Unusual AD FS SAML token issuance (unexpected relying parties)AD FS Admin Log1200, 1202
Token issued for privileged users outside business hoursAD FS Admin Log1200
AD FS service account accessing DKM from unusual hostWindows Security Log4624, 4634

Post-Remediation Checklist

  • July 2026 Patch Tuesday applied to all AD FS servers
  • DKM container ACLs audited and hardened
  • AD FS audit logging enabled and reviewed
  • No indicators of unauthorized DKM access found
  • If IoCs found: AD FS certificates rotated; relying party trusts updated
  • Federal agencies: remediation documented for BOD 26-04 compliance
  • Ongoing: monitoring for anomalous SAML issuance in SIEM

References

  • Microsoft Security Advisory — CVE-2026-56155
  • CISA KEV Catalog — CVE-2026-56155
  • July 2026 Patch Tuesday: Fix 2 Exploited AD FS and SharePoint Zero-Days
  • Microsoft Patches Record 622 Flaws Including Two Zero-Days
  • NVD — CVE-2026-56155

Related Advisories

  • SonicWall SMA1000 Zero-Day Exploited — CVE-2026-15409 + CVE-2026-15410
  • Progress ShareFile Path Traversal Zero-Day
#CVE-2026-56155#Microsoft#Active Directory#AD FS#CISA KEV#Privilege Escalation#SAML#Patch Tuesday

Related Articles

CVE-2026-41106: M365 Copilot Open Redirect Allows Unauthenticated Privilege Escalation

A critical open redirect vulnerability in Microsoft 365 Copilot rated CVSS 9.3 enables unauthenticated attackers to perform privilege escalation over the...

4 min read

CVE-2026-11645: Google Chromium V8 Out-of-Bounds Read and Write Vulnerability

A critical out-of-bounds read and write vulnerability in the Chromium V8 engine allows remote attackers to execute arbitrary code inside a sandbox via a...

7 min read

CVE-2022-0492: Linux Kernel Improper Authentication Vulnerability

A Linux kernel vulnerability in the cgroups v1 release_agent feature allows local attackers to escalate privileges and escape containers. Added to CISA KEV…

3 min read
Back to all Security Alerts