CVE-2026-56155
HIGH KEV CISA Exploitation: ACTIVE
7.8
CVSS 3.1
Metadata
Severity & Metrics
7.8
HIGH CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
SSVC — CISA Coordinator
CISA Known Exploited Vulnerability
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CISA description
Microsoft Active Directory Federation Services contains an insufficient granularity of access control vulnerability that allows an authorized attacker to elevate privileges locally.
Affected products (13)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Microsoft | Windows 10 Version 1607 | 32-bit Systems,x64-based Systems | 10.0.14393.0 < 10.0.14393.9339 |
| Microsoft | Windows 10 Version 1809 | 32-bit Systems,x64-based Systems | 10.0.17763.0 < 10.0.17763.9020 |
| Microsoft | Windows Server 2012 | x64-based Systems | 6.2.9200.0 < 6.2.9200.26226 |
| Microsoft | Windows Server 2012 (Server Core installation) | x64-based Systems | 6.2.9200.0 < 6.2.9200.26226 |
| Microsoft | Windows Server 2012 R2 | x64-based Systems | 6.3.9600.0 < 6.3.9600.23291 |
| Microsoft | Windows Server 2012 R2 (Server Core installation) | x64-based Systems | 6.3.9600.0 < 6.3.9600.23291 |
| Microsoft | Windows Server 2016 | x64-based Systems | 10.0.14393.0 < 10.0.14393.9339 |
| Microsoft | Windows Server 2016 (Server Core installation) | x64-based Systems | 10.0.14393.0 < 10.0.14393.9339 |
| Microsoft | Windows Server 2019 | x64-based Systems | 10.0.17763.0 < 10.0.17763.9020 |
| Microsoft | Windows Server 2019 (Server Core installation) | x64-based Systems | 10.0.17763.0 < 10.0.17763.9020 |
| Microsoft | Windows Server 2022 | x64-based Systems | 10.0.20348.0 < 10.0.20348.5386 |
| Microsoft | Windows Server 2025 | x64-based Systems | 10.0.26100.0 < 10.0.26100.33158 |
| Microsoft | Windows Server 2025 (Server Core installation) | x64-based Systems | 10.0.26100.0 < 10.0.26100.33158 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-1220 | cna | CWE-1220: Insufficient Granularity of Access Control |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.8 | HIGH | 3.1 | cna | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
References (1)
- Active Directory Federation Services Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155