CISA added four actively exploited vulnerabilities affecting SonicWall SMA1000 appliances, Microsoft Active Directory Federation Services, and Microsoft SharePoint Server to its Known Exploited Vulnerabilities Catalog on July 14, putting internet-facing access infrastructure and identity systems at the front of administrators’ patch queues.
The additions are CVE-2026-15409, CVE-2026-15410, CVE-2026-56155, and CVE-2026-56164. CISA said each vulnerability met its threshold for evidence of exploitation in the wild, although neither the agency nor the affected vendors have publicly detailed the attacks, victims, or threat actors involved.
Two of the flaws landed alongside Microsoft’s July 2026 Patch Tuesday release. Microsoft identifies both the AD FS and SharePoint vulnerabilities as exploited zero-days, making the corresponding security updates more urgent than their place in an unusually large monthly patch bundle might otherwise suggest.
CVE-2026-15409 is a server-side request forgery vulnerability in the WorkPlace interface of SonicWall SMA1000 appliances. According to the CVE description attributed to SonicWall, a remote, unauthenticated attacker could cause an affected appliance to send requests to unintended destinations.
That matters because an SSRF flaw can turn a trusted edge appliance into a path toward services that are not directly reachable from the internet. Depending on configuration and network segmentation, an attacker may be able to probe internal addresses, contact administrative services, or obtain information from systems that trust traffic originating from the appliance.
CVE-2026-15410 is the more direct code-injection issue in the same SMA1000 product family. CISA’s inclusion of both vulnerabilities on the same day raises the possibility that attackers are combining them or targeting the same exposed management and remote-access surfaces, although no public exploit chain has been confirmed.
Administrators should identify every SMA1000 appliance, including standby nodes and disaster-recovery systems, and compare installed firmware against SonicWall’s current security guidance. Where an update cannot be deployed immediately, management and user-facing interfaces should be restricted to trusted networks wherever operationally possible.
Patching should not be treated as evidence that the appliance is clean. Because CISA’s listing confirms prior exploitation, defenders should also review authentication records, administrative changes, unexpected outbound connections, newly created accounts, configuration exports, and unusual requests involving the WorkPlace interface.
Remote-access appliances occupy a particularly valuable position for attackers: they are commonly internet-facing, handle credentials, and provide a bridge into protected networks. An organization that finds suspicious activity should consider credential rotation and session invalidation alongside conventional forensic preservation.
AD FS uses the DKM container in Active Directory to store symmetric keys protecting token-signing and token-encryption certificate private keys. Microsoft’s KB5121391 explains that an overly permissive access control list can allow an attacker with read access to the DKM material to decrypt token-signing private keys.
That moves the risk beyond an ordinary local privilege-escalation bug. Access to token-signing secrets could undermine trust in a federated identity environment, potentially enabling an attacker to create or abuse authentication tokens rather than merely control one Windows Server.
Microsoft is introducing the fix as a phased hardening change rather than immediately rewriting permissions. After administrators install the July 14 security update, AD FS checks the DKM container ACL when the service starts and then every 24 hours. An insecure configuration generates Event ID 1132 in the AD FS Admin event log, but the first phase does not automatically alter the permissions.
For Windows Server 2016 and later, administrators can opt into remediation by setting the
Windows Server 2012 and Windows Server 2012 R2 require additional preparation because the AD FS service account must first receive permission to remediate the container. The vulnerability and hardening guidance apply across supported and Extended Security Update releases including Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server version 23H2, and Windows Server 2025.
For identity teams, the operational sequence is therefore more involved than installing a cumulative update:
That combination makes the flaw especially concerning for on-premises SharePoint farms reachable from untrusted networks. A missing authentication check can give attackers access to functionality that should be restricted before any user identity has been established.
The vulnerability was addressed in Microsoft’s July 2026 security updates for affected SharePoint Server releases. Administrators should not assume that Windows Update alone has completed the job: SharePoint security servicing may require deploying the appropriate SharePoint package across every server in the farm and running the SharePoint Products Configuration Wizard or the corresponding PowerShell process.
Organizations should inventory all SharePoint servers, including application servers that are not directly internet-facing, because a farm remains exposed if only its web front ends are updated. Reverse proxies and load balancers can also conceal forgotten nodes that continue accepting traffic.
Logs should be reviewed for unexpected unauthenticated requests, newly deployed files, abnormal application-pool activity, suspicious PowerShell execution, and changes to farm or site-collection permissions. The lack of public attack details makes broad behavioral review more useful than waiting for a single published indicator of compromise.
Under Binding Operational Directive 26-04, Federal Civilian Executive Branch agencies must prioritize KEV vulnerabilities on publicly exposed assets when exploitation could provide total control. The directive also strengthens expectations that agencies determine whether compromise occurred before remediation, instead of treating patch installation as the end of the response.
The directive is mandatory only for federal civilian agencies, but the same logic applies to private-sector environments. For these four flaws, administrators should prioritize exposed SonicWall SMA1000 and SharePoint systems first, then verify AD FS patch and DKM ACL status across the identity tier.
The immediate milestone is deployment of the July 14 Microsoft updates and SonicWall’s applicable SMA1000 fixes. The longer-running task is compromise assessment—particularly for appliances and federation servers where an attacker may have obtained durable access or authentication material before the vulnerable code was replaced.
The additions are CVE-2026-15409, CVE-2026-15410, CVE-2026-56155, and CVE-2026-56164. CISA said each vulnerability met its threshold for evidence of exploitation in the wild, although neither the agency nor the affected vendors have publicly detailed the attacks, victims, or threat actors involved.
Two of the flaws landed alongside Microsoft’s July 2026 Patch Tuesday release. Microsoft identifies both the AD FS and SharePoint vulnerabilities as exploited zero-days, making the corresponding security updates more urgent than their place in an unusually large monthly patch bundle might otherwise suggest.
SonicWall’s Remote-Access Perimeter Takes Two Hits
CVE-2026-15409 is a server-side request forgery vulnerability in the WorkPlace interface of SonicWall SMA1000 appliances. According to the CVE description attributed to SonicWall, a remote, unauthenticated attacker could cause an affected appliance to send requests to unintended destinations.That matters because an SSRF flaw can turn a trusted edge appliance into a path toward services that are not directly reachable from the internet. Depending on configuration and network segmentation, an attacker may be able to probe internal addresses, contact administrative services, or obtain information from systems that trust traffic originating from the appliance.
CVE-2026-15410 is the more direct code-injection issue in the same SMA1000 product family. CISA’s inclusion of both vulnerabilities on the same day raises the possibility that attackers are combining them or targeting the same exposed management and remote-access surfaces, although no public exploit chain has been confirmed.
Administrators should identify every SMA1000 appliance, including standby nodes and disaster-recovery systems, and compare installed firmware against SonicWall’s current security guidance. Where an update cannot be deployed immediately, management and user-facing interfaces should be restricted to trusted networks wherever operationally possible.
Patching should not be treated as evidence that the appliance is clean. Because CISA’s listing confirms prior exploitation, defenders should also review authentication records, administrative changes, unexpected outbound connections, newly created accounts, configuration exports, and unusual requests involving the WorkPlace interface.
Remote-access appliances occupy a particularly valuable position for attackers: they are commonly internet-facing, handle credentials, and provide a bridge into protected networks. An organization that finds suspicious activity should consider credential rotation and session invalidation alongside conventional forensic preservation.
AD FS Hardening Starts in Audit Mode
CVE-2026-56155 affects Active Directory Federation Services and stems from insufficiently granular access controls around its Distributed Key Manager container. Microsoft says an authorized local attacker can exploit the weakness to elevate privileges, while CISA’s KEV addition confirms that exploitation has already occurred.AD FS uses the DKM container in Active Directory to store symmetric keys protecting token-signing and token-encryption certificate private keys. Microsoft’s KB5121391 explains that an overly permissive access control list can allow an attacker with read access to the DKM material to decrypt token-signing private keys.
That moves the risk beyond an ordinary local privilege-escalation bug. Access to token-signing secrets could undermine trust in a federated identity environment, potentially enabling an attacker to create or abuse authentication tokens rather than merely control one Windows Server.
Microsoft is introducing the fix as a phased hardening change rather than immediately rewriting permissions. After administrators install the July 14 security update, AD FS checks the DKM container ACL when the service starts and then every 24 hours. An insecure configuration generates Event ID 1132 in the AD FS Admin event log, but the first phase does not automatically alter the permissions.
For Windows Server 2016 and later, administrators can opt into remediation by setting the
RemediateDkmAcl registry value to 1. Microsoft says automatic remediation is scheduled to begin on October 13, 2026, unless the value is explicitly set to 0 to opt out.Windows Server 2012 and Windows Server 2012 R2 require additional preparation because the AD FS service account must first receive permission to remediate the container. The vulnerability and hardening guidance apply across supported and Extended Security Update releases including Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server version 23H2, and Windows Server 2025.
For identity teams, the operational sequence is therefore more involved than installing a cumulative update:
- Install the July 14, 2026 security update or a later cumulative update on every AD FS server.
- Restart or otherwise cycle the AD FS service as required, then inspect the AD FS Admin log for Event ID 1132.
- Validate existing DKM permissions before enabling remediation, particularly in farms using custom service accounts or delegated administration.
- Investigate unexplained access to the DKM container and consider whether token-signing certificates or other federation secrets require rotation.
SharePoint Exploitation Needs Immediate Server-Side Attention
CVE-2026-56164 affects Microsoft SharePoint Server and is described by CISA as missing authentication for a critical function. Microsoft classifies the result as elevation of privilege, while reporting from SecurityWeek and BleepingComputer says exploitation can occur over the network without authentication.That combination makes the flaw especially concerning for on-premises SharePoint farms reachable from untrusted networks. A missing authentication check can give attackers access to functionality that should be restricted before any user identity has been established.
The vulnerability was addressed in Microsoft’s July 2026 security updates for affected SharePoint Server releases. Administrators should not assume that Windows Update alone has completed the job: SharePoint security servicing may require deploying the appropriate SharePoint package across every server in the farm and running the SharePoint Products Configuration Wizard or the corresponding PowerShell process.
Organizations should inventory all SharePoint servers, including application servers that are not directly internet-facing, because a farm remains exposed if only its web front ends are updated. Reverse proxies and load balancers can also conceal forgotten nodes that continue accepting traffic.
Logs should be reviewed for unexpected unauthenticated requests, newly deployed files, abnormal application-pool activity, suspicious PowerShell execution, and changes to farm or site-collection permissions. The lack of public attack details makes broad behavioral review more useful than waiting for a single published indicator of compromise.
KEV Status Changes the Patch Calculation
CISA’s KEV Catalog is not simply a ranking of vulnerabilities by CVSS score. Inclusion means the agency has evidence that attackers have used the vulnerability under real-world conditions, which makes it a stronger prioritization signal than theoretical exploitability alone.Under Binding Operational Directive 26-04, Federal Civilian Executive Branch agencies must prioritize KEV vulnerabilities on publicly exposed assets when exploitation could provide total control. The directive also strengthens expectations that agencies determine whether compromise occurred before remediation, instead of treating patch installation as the end of the response.
The directive is mandatory only for federal civilian agencies, but the same logic applies to private-sector environments. For these four flaws, administrators should prioritize exposed SonicWall SMA1000 and SharePoint systems first, then verify AD FS patch and DKM ACL status across the identity tier.
The immediate milestone is deployment of the July 14 Microsoft updates and SonicWall’s applicable SMA1000 fixes. The longer-running task is compromise assessment—particularly for appliances and federation servers where an attacker may have obtained durable access or authentication material before the vulnerable code was replaced.
References
- Primary source: CISA
Published: 2026-07-14T12:00:00+00:00
- Related coverage: securityweek.com
Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days - SecurityWeek
Microsoft has announced patches for 622 vulnerabilities, including exploited zero-days in Active Directory and SharePoint Server.www.securityweek.com