Microsoft AD FS Zero-Day Exploited to Gain Administrator Privileges
Microsoft has released security updates and hardening guidance for CVE-2026-56155, an actively exploited zero-day vulnerability in Active Directory Federation Services. A low-privileged, authenticated attacker can exploit the flaw locally to gain administrator privileges.
The vulnerability affects permissions on the Distributed Key Manager container used by AD FS. If those permissions allow unauthorized access, an attacker could obtain key material protecting sensitive token-signing and token-encryption certificates.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft rates the vulnerability as Important with a CVSS 3.1 score of 7.8. The official CVE-2026-56155 security advisory confirms that attackers have already exploited it and that functional exploit code exists.
What Is CVE-2026-56155?
CVE-2026-56155 results from insufficiently detailed access controls in AD FS. Microsoft tracks the weakness as CWE-1220, which covers cases where software does not restrict access at the required level.
AD FS provides federated identity and single sign-on services. Organizations use it to authenticate users and issue security tokens for applications, cloud services, and systems across trust boundaries.
The vulnerable component is the AD FS Distributed Key Manager, or DKM, container in Active Directory. AD FS stores symmetric keys in this container to protect private keys associated with token-signing and token-encryption certificates.
| CVE detail | Information |
|---|---|
| CVE | CVE-2026-56155 |
| Affected product | Active Directory Federation Services |
| Vulnerability type | Elevation of privilege |
| Severity | Important |
| CVSS score | 7.8 |
| Attack vector | Local |
| Privileges required | Low |
| User interaction | None |
| Exploitation status | Actively exploited |
Attackers Can Access Sensitive AD FS Key Material
The vulnerability becomes exploitable when the DKM container has an overly permissive access control list. An attacker with read access to the stored key material can decrypt the private keys used for AD FS token signing.
Token-signing keys play a central role in federation security. AD FS uses them to prove that an authentication token came from a trusted federation server.
Access to this material could allow an attacker to undermine authentication trust, impersonate users, or access connected services. Microsoft has not publicly described the attacks or the exact techniques used after exploitation.
- The attacker must already have authenticated access.
- The attack uses a local vector.
- No user interaction is required.
- The attack has low complexity.
- Successful exploitation can provide administrator privileges.
- Exposed DKM material can threaten AD FS token-signing keys.
July Update Starts With Audit Mode
Installing the July 14, 2026 Windows security update is the first required step, but the update does not immediately repair the DKM container permissions.
Microsoft’s AD FS DKM hardening guidance says the July update places affected servers into Audit mode. AD FS checks the container’s access control list after the service starts and repeats the check every 24 hours.
Administrators must review the AD FS Admin event log to determine whether the DKM configuration requires action. The July update records its findings but does not automatically change the permissions.
| Event ID | Level | Meaning |
|---|---|---|
| 1132 | Warning | The DKM container ACL does not match the expected secure state |
| 1133 | Information | The DKM container ACL is secure and no action is required |
| 1134 | Error | The ACL detection task encountered an error |
| 1135 | Information | AD FS successfully hardened the DKM container ACL |
| 1136 | Error | The remediation attempt failed |
Administrators Must Opt Into Early Remediation
If Event ID 1132 appears, administrators should investigate the existing permissions and enable Microsoft’s remediation process. For Windows Server 2016 and later, this requires setting the RemediateDkmAcl registry value to 1 on one AD FS server in the farm.
The value uses the DWORD type and belongs under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS. Administrators can then wait for the next detection cycle or restart the AD FS service to begin remediation sooner.
Windows Server 2012 and Windows Server 2012 R2 require additional preparation. Administrators must first grant the AD FS service account the permissions needed to repair the container, then enable the registry value.
- Install the July 14, 2026 security update or a later update on every AD FS server.
- Review the AD FS Admin log for Event ID 1132, 1133, or 1134.
- If Event ID 1132 appears, review the existing DKM container permissions.
- Follow the instructions for the Windows Server version in use.
- Enable opt-in remediation on one AD FS server in the farm.
- Confirm that Event ID 1135 appears after successful remediation.
- Save the previous security descriptor recorded in Event ID 1135.
- Investigate Event ID 1136 if AD FS cannot complete the change.
Automatic Enforcement Begins in October 2026
Microsoft plans to move Windows Server 2016 and later systems into enforcement mode with the October 13, 2026 security update. At that point, AD FS will automatically remediate insecure DKM permissions unless an administrator explicitly opts out.
Microsoft recommends enabling remediation during the current audit phase. Early testing gives organizations time to identify access or compatibility problems before enforcement begins.
Administrators should not wait until October because Microsoft and CISA have confirmed active exploitation. Any unnecessary account with DKM container access could create an immediate identity-security risk.
| Phase | Date | Behavior |
|---|---|---|
| Audit mode | July 14, 2026 | Detects insecure ACLs and records events without automatic changes |
| Opt-in remediation | Available during audit mode | Administrators can enable DKM ACL hardening manually |
| Enforcement mode | October 13, 2026 | Windows Server 2016 and later automatically remediate insecure ACLs by default |
Which Windows Server Versions Are Affected?
Microsoft’s hardening documentation applies to Windows Server 2012 and Windows Server 2012 R2 systems receiving Extended Security Updates. It also covers supported releases from Windows Server 2016 through Windows Server 2025.
Windows Server version 23H2 also appears in Microsoft’s affected-platform list. Organizations should install the appropriate update for each AD FS server rather than applying updates to unrelated Windows clients.
The published guidance does not list Windows 10 as an affected AD FS platform. The vulnerability concerns servers running the federation service and the permissions protecting its DKM container.
- Windows Server 2012 with Extended Security Updates
- Windows Server 2012 R2 with Extended Security Updates
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server version 23H2
- Windows Server 2025
CISA Orders Federal Agencies to Address the Flaw
The Cybersecurity and Infrastructure Security Agency added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog on July 14, 2026. The agency only adds vulnerabilities when reliable evidence shows exploitation in real attacks.
A CISA security alert directs federal civilian agencies to follow the vendor’s mitigation guidance. The catalog gives those agencies a remediation deadline of July 28, 2026.
Private organizations do not have to follow the federal deadline, but CISA’s decision provides a strong reason to prioritize AD FS servers over vulnerabilities without evidence of exploitation.
How Organizations Should Respond
Security teams should begin by identifying every AD FS server and federation farm. They should also document the service accounts, DKM container location, current permissions, token-signing certificates, and applications that trust the affected federation infrastructure.
Administrators should follow Microsoft’s platform-specific remediation instructions. Changing DKM permissions manually without understanding the existing configuration could disrupt federation services.
Organizations should treat unexpected access to the DKM container or token-signing key material as a potential identity compromise. Simply fixing the access control list may not remove keys that an attacker already obtained.
- Inventory all AD FS servers and confirm their Windows Server versions.
- Install the July 2026 update on every server in each federation farm.
- Review AD FS Admin events for insecure DKM permissions or detection errors.
- Enable opt-in remediation after completing required compatibility checks.
- Verify that only approved principals retain access to the DKM container.
- Investigate unfamiliar accounts that previously had access to the container.
- Review privileged sign-ins and configuration changes on AD FS servers.
- Examine federation logs for unexpected token activity.
- Follow incident-response procedures if token-signing keys may have been exposed.
Why AD FS Key Exposure Requires a Wider Investigation
Microsoft’s expected secure state limits DKM container access to Domain Admins, Enterprise Admins, SYSTEM, and the AD FS service account. Remediation disables inheritance and removes other explicit allow entries.
Attackers who obtained protected signing keys before remediation may retain the ability to abuse federation trust. Organizations should therefore consider whether key rotation or broader identity recovery actions are necessary after reviewing evidence of unauthorized access.
Microsoft credited Jeremy Kingston and Scott Clark from its Detection and Response Team for reporting the flaw. The company has withheld detailed exploit information while organizations deploy the required security changes.
Administrators can track the Microsoft security record for revisions. They should also monitor the CISA exploited-vulnerability notice for updated federal response requirements.
FAQ
CVE-2026-56155 is an actively exploited elevation-of-privilege vulnerability in Active Directory Federation Services. It involves overly permissive access controls on the Distributed Key Manager container used to protect AD FS certificate keys.
The vulnerability specifically affects Active Directory Federation Services and its DKM container permissions. It should not be described as a general Active Directory Domain Services vulnerability.
Not automatically. The July update starts Audit mode and records whether the DKM permissions require attention. Administrators must review the events and opt into remediation during this phase.
Event ID 1132 in the AD FS Admin log indicates that the DKM container ACL does not match Microsoft’s expected secure state. Event ID 1133 means the permissions are already secure.
Microsoft plans to enable automatic remediation by default for Windows Server 2016 and later with the October 13, 2026 security update. Administrators can opt into remediation before then.
Microsoft lists Windows Server 2012 ESU, Windows Server 2012 R2 ESU, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server version 23H2, and Windows Server 2025.
Yes. Microsoft confirmed active exploitation, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 14, 2026.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages