Back to overview

CVE-2026-56155

HIGH KEV CISA Exploitation: ACTIVE
7.8
CVSS 3.1

Metadata

CVE ID
CVE-2026-56155
State
PUBLISHED
Assigner
microsoft
Reserved
2026-06-19 13:53 UTC
Published
2026-07-14 17:05 UTC
Last updated
2026-07-14 19:58 UTC
Primary CWE
CWE-1220
CWE-1220: Insufficient Granularity of Access Control
Vendor / Product
Microsoft / Windows 10 Version 1607
Sources
cve.org  ·  NVD

Severity & Metrics

7.8 HIGH CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
SSVC — CISA Coordinator
Exploitation
ACTIVE
Automatable
no
Tech. Impact
total
CISA Known Exploited Vulnerability
Vulnerability name
Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
Vendor
Microsoft
Product
Active Directory Federation Services
Added to KEV
2026-07-14
Due date
2026-07-28
Ransomware
Not known
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CISA description
Microsoft Active Directory Federation Services contains an insufficient granularity of access control vulnerability that allows an authorized attacker to elevate privileges locally.
Affected products (13)
VendorProductPlatformVersions
Microsoft Windows 10 Version 1607 32-bit Systems,x64-based Systems 10.0.14393.0 < 10.0.14393.9339
Microsoft Windows 10 Version 1809 32-bit Systems,x64-based Systems 10.0.17763.0 < 10.0.17763.9020
Microsoft Windows Server 2012 x64-based Systems 6.2.9200.0 < 6.2.9200.26226
Microsoft Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 < 6.2.9200.26226
Microsoft Windows Server 2012 R2 x64-based Systems 6.3.9600.0 < 6.3.9600.23291
Microsoft Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 < 6.3.9600.23291
Microsoft Windows Server 2016 x64-based Systems 10.0.14393.0 < 10.0.14393.9339
Microsoft Windows Server 2016 (Server Core installation) x64-based Systems 10.0.14393.0 < 10.0.14393.9339
Microsoft Windows Server 2019 x64-based Systems 10.0.17763.0 < 10.0.17763.9020
Microsoft Windows Server 2019 (Server Core installation) x64-based Systems 10.0.17763.0 < 10.0.17763.9020
Microsoft Windows Server 2022 x64-based Systems 10.0.20348.0 < 10.0.20348.5386
Microsoft Windows Server 2025 x64-based Systems 10.0.26100.0 < 10.0.26100.33158
Microsoft Windows Server 2025 (Server Core installation) x64-based Systems 10.0.26100.0 < 10.0.26100.33158
Weakness (CWE)
CWESourceDescription
CWE-1220 cna CWE-1220: Insufficient Granularity of Access Control
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.8 HIGH 3.1 cna CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
References (1)
Back to overview