CVE-2026-56155 is an actively exploited elevation-of-privilege vulnerability in Active Directory Federation Services that can expose the private keys behind an organization’s federation tokens. Microsoft released the first stage of its fix with the July 14, 2026 Windows security updates, but installing the update alone does not immediately correct an insecure configuration.
Detailed in Microsoft’s Security Update Guide and companion advisory KB5121391, the flaw carries a CVSS 3.1 score of 7.8 and is rated Important. Microsoft says an authorized local attacker with low privileges can exploit insufficiently granular access controls without user interaction, potentially causing high confidentiality, integrity, and availability impact.
The vulnerability is not theoretical. Microsoft lists exploitation as detected, while the Cybersecurity and Infrastructure Security Agency added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog on July 14. CISA set a July 28, 2026 remediation deadline for affected US federal systems.
Active Directory Federation Services uses a Distributed Key Manager, or DKM, container in Active Directory to hold symmetric keys. Those keys protect the private keys associated with AD FS token-signing and token-encryption certificates.
If the DKM container’s access control list is too permissive, an attacker who obtains read access to its key material may be able to decrypt the token-signing private keys. That turns an apparently local permissions problem into an identity-system compromise with consequences beyond the individual server.
A stolen token-signing key may enable an attacker to create tokens that appear to have been issued by the trusted federation service. The exact reach depends on the organization’s AD FS configuration, claims rules, relying-party trusts, and connected applications, but the affected material sits at a particularly sensitive point in the authentication chain.
Microsoft describes the underlying weakness as insufficient granularity of access control, tracked as CWE-1220. Its CVSS vector specifies a local attack with low complexity, low privileges, no user interaction, and unchanged scope.
That means CVE-2026-56155 is not a pre-authentication remote-code-execution flaw that an anonymous internet user can trigger directly against an AD FS endpoint. An attacker must already have some authorized access in the affected environment. The risk is that a limited foothold can be converted into control over federation secrets and potentially administrator-level privileges.
Microsoft credited its Detection and Response Team, commonly known as DART, with reporting the issue, according to July Patch Tuesday analysis from Tenable. Microsoft has not publicly documented the observed attacks, identified the threat actor involved, or described the initial access method.
After the update is installed, AD FS checks the DKM container approximately one minute after the service starts and every 24 hours afterward. Administrators should inspect the
For Windows Server 2016 and later, administrators can opt into remediation by creating the
Windows Server 2012 and Windows Server 2012 R2 require an additional step. The AD FS service account must first receive the necessary
Microsoft recommends saving the previous ACL recorded in Event ID 1135 immediately after a successful repair. Event logs can roll over, and the old SDDL value may be needed if an unexpected application or operational dependency breaks after permissions are tightened.
Under the expected secure configuration, Domain Admins, Enterprise Admins, and SYSTEM retain full control. The AD FS service account receives the permissions required to read and maintain the container, including read, write, create-child, write-owner, and delete-tree rights.
That narrow list is precisely why administrators should use the Audit window rather than waiting for enforcement. Organizations may have delegated access to backup identities, federation-management accounts, monitoring products, migration tooling, or service accounts that were added over years of AD FS operation. Those entries may be insecure, but removing them without testing could also expose an undocumented dependency.
The practical process is to patch every AD FS node, restart or cycle the service during a controlled window, and review Events 1132 through 1136 across the farm. If Microsoft’s baseline conflicts with an operational requirement, administrators should determine whether the extra principal genuinely needs access to the DKM container instead of preserving permissions by default.
Security teams should also treat the active-exploitation designation as an incident-hunting prompt. Finding an overly broad ACL does not establish that the environment was compromised, but organizations should review historical access to the DKM container, unexpected changes to AD FS service accounts, certificate activity, suspicious token issuance, and privileged access on federation servers.
The opt-out leaves detection enabled, so Event ID 1132 can continue warning that the ACL is insecure. Microsoft cautions that opting out also leaves the DKM container vulnerable and should be reserved for a specific compatibility requirement backed by a manual hardening plan.
Automatic October remediation will not apply to Windows Server 2012 or Windows Server 2012 R2. Those older platforms must receive their prerequisite service-account permissions and be remediated through the documented opt-in procedure.
KB5121391 applies to AD FS deployments on Windows Server 2012 and 2012 R2 with Extended Security Updates, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server version 23H2, and Windows Server 2025. The National Vulnerability Database identifies fixed build thresholds including 14393.9339 for Server 2016, 17763.9020 for Server 2019, 20348.5386 for Server 2022, and 26100.33158 for Server 2025.
The report-confidence assessment is Confirmed, supported by Microsoft’s acknowledgement, a shipped security update, detailed hardening guidance, and evidence of exploitation in the wild. For administrators, however, the important distinction is between confidence that the vulnerability exists and confidence that a server is protected: the July update supplies detection and an opt-in repair, while the ACL itself remains the item that must be verified.
Detailed in Microsoft’s Security Update Guide and companion advisory KB5121391, the flaw carries a CVSS 3.1 score of 7.8 and is rated Important. Microsoft says an authorized local attacker with low privileges can exploit insufficiently granular access controls without user interaction, potentially causing high confidentiality, integrity, and availability impact.
The vulnerability is not theoretical. Microsoft lists exploitation as detected, while the Cybersecurity and Infrastructure Security Agency added CVE-2026-56155 to its Known Exploited Vulnerabilities catalog on July 14. CISA set a July 28, 2026 remediation deadline for affected US federal systems.
AD FS Keys Are the Real Prize
Active Directory Federation Services uses a Distributed Key Manager, or DKM, container in Active Directory to hold symmetric keys. Those keys protect the private keys associated with AD FS token-signing and token-encryption certificates.If the DKM container’s access control list is too permissive, an attacker who obtains read access to its key material may be able to decrypt the token-signing private keys. That turns an apparently local permissions problem into an identity-system compromise with consequences beyond the individual server.
A stolen token-signing key may enable an attacker to create tokens that appear to have been issued by the trusted federation service. The exact reach depends on the organization’s AD FS configuration, claims rules, relying-party trusts, and connected applications, but the affected material sits at a particularly sensitive point in the authentication chain.
Microsoft describes the underlying weakness as insufficient granularity of access control, tracked as CWE-1220. Its CVSS vector specifies a local attack with low complexity, low privileges, no user interaction, and unchanged scope.
That means CVE-2026-56155 is not a pre-authentication remote-code-execution flaw that an anonymous internet user can trigger directly against an AD FS endpoint. An attacker must already have some authorized access in the affected environment. The risk is that a limited foothold can be converted into control over federation secrets and potentially administrator-level privileges.
Microsoft credited its Detection and Response Team, commonly known as DART, with reporting the issue, according to July Patch Tuesday analysis from Tenable. Microsoft has not publicly documented the observed attacks, identified the threat actor involved, or described the initial access method.
July’s Update Starts With Detection, Not Enforcement
KB5121391 introduces a phased hardening plan rather than immediately rewriting every affected DKM container ACL. The July 14 update places AD FS into an Audit mode designed to identify permissions that do not match Microsoft’s new secure baseline.After the update is installed, AD FS checks the DKM container approximately one minute after the service starts and every 24 hours afterward. Administrators should inspect the
AD FS/Admin event log for four relevant events:- Event ID 1132 warns that the DKM container ACL does not match the expected secure state.
- Event ID 1133 confirms that the ACL already meets the secure baseline.
- Event ID 1134 reports that the detection task failed, potentially because of an LDAP connectivity or permissions problem.
- Event ID 1135 records successful remediation and includes the previous ACL in Security Descriptor Definition Language format.
For Windows Server 2016 and later, administrators can opt into remediation by creating the
RemediateDkmAcl DWORD under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS and setting it to 1. The setting needs to be applied to only one AD FS server in the farm; administrators can then wait for the next detection cycle or restart the AD FS service to trigger the process sooner.Windows Server 2012 and Windows Server 2012 R2 require an additional step. The AD FS service account must first receive the necessary
WriteOwner and WriteDacl rights on the DKM container, or the automated remediation attempt will fail.Microsoft recommends saving the previous ACL recorded in Event ID 1135 immediately after a successful repair. Event logs can roll over, and the old SDDL value may be needed if an unexpected application or operational dependency breaks after permissions are tightened.
The Secure Baseline Removes Extra Principals
Microsoft’s remediation disables inheritance on the DKM container and discards inherited access-control entries. It also removes explicit Allow entries for principals outside a short approved set.Under the expected secure configuration, Domain Admins, Enterprise Admins, and SYSTEM retain full control. The AD FS service account receives the permissions required to read and maintain the container, including read, write, create-child, write-owner, and delete-tree rights.
That narrow list is precisely why administrators should use the Audit window rather than waiting for enforcement. Organizations may have delegated access to backup identities, federation-management accounts, monitoring products, migration tooling, or service accounts that were added over years of AD FS operation. Those entries may be insecure, but removing them without testing could also expose an undocumented dependency.
The practical process is to patch every AD FS node, restart or cycle the service during a controlled window, and review Events 1132 through 1136 across the farm. If Microsoft’s baseline conflicts with an operational requirement, administrators should determine whether the extra principal genuinely needs access to the DKM container instead of preserving permissions by default.
Security teams should also treat the active-exploitation designation as an incident-hunting prompt. Finding an overly broad ACL does not establish that the environment was compromised, but organizations should review historical access to the DKM container, unexpected changes to AD FS service accounts, certificate activity, suspicious token issuance, and privileged access on federation servers.
October Turns the Audit Into Automatic Remediation
Microsoft plans to move Windows Server 2016 and newer systems into Enforcement mode with the October 13, 2026 security update. At that point, remediation will run automatically unless administrators explicitly setRemediateDkmAcl to 0.The opt-out leaves detection enabled, so Event ID 1132 can continue warning that the ACL is insecure. Microsoft cautions that opting out also leaves the DKM container vulnerable and should be reserved for a specific compatibility requirement backed by a manual hardening plan.
Automatic October remediation will not apply to Windows Server 2012 or Windows Server 2012 R2. Those older platforms must receive their prerequisite service-account permissions and be remediated through the documented opt-in procedure.
KB5121391 applies to AD FS deployments on Windows Server 2012 and 2012 R2 with Extended Security Updates, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server version 23H2, and Windows Server 2025. The National Vulnerability Database identifies fixed build thresholds including 14393.9339 for Server 2016, 17763.9020 for Server 2019, 20348.5386 for Server 2022, and 26100.33158 for Server 2025.
The report-confidence assessment is Confirmed, supported by Microsoft’s acknowledgement, a shipped security update, detailed hardening guidance, and evidence of exploitation in the wild. For administrators, however, the important distinction is between confidence that the vulnerability exists and confidence that a server is protected: the July update supplies detection and an opt-in repair, while the ACL itself remains the item that must be verified.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com