Microsoft’s July 2026 Patch Tuesday drew immediate attention not just because of its record scale, but because two actively exploited zero-days hit some of the most sensitive parts of enterprise infrastructure. CVE-2026-56164 targets on-premises SharePoint Server and is remotely exploitable in low-complexity attacks, while CVE-2026-56155 targets Active Directory Federation Services and allows privilege escalation from a low-privileged local foothold. Together, they show why defenders should not sort this month’s risk by score alone.
The SharePoint bug is the more urgent internet-facing issue. Public reporting says it requires no credentials and no user interaction, making it especially dangerous for organizations still running self-hosted SharePoint. The AD FS flaw is narrower in reach, but just as important in practice because federation infrastructure sits at the center of enterprise identity and trust. Once attackers reach that layer, the impact can extend far beyond a single host.
CVE-2026-56164 and CVE-2026-56155 analysis
For CVE-2026-56164 analysis, the key point is that Microsoft and outside reporting both describe the flaw as already exploited in real attacks against on-prem SharePoint. It is an elevation-of-privilege issue, but unlike many privilege bugs, it is remotely exploitable and low complexity, which makes it much more operationally dangerous than the label alone suggests.
The current details for CVE-2026-56164 remain limited. Microsoft has not publicly explained the exact exploit chain, the responsible actor, or the full post-compromise behavior. What is clear is that the flaw affects self-hosted SharePoint Server and should be treated as a high-priority patching event, especially because the same July updates also fix additional SharePoint remote code execution and security bypass issues.
The AD FS zero-day has a different profile. CVE-2026-56155 affects Active Directory Federation Services and starts from local low privileges, which means it is more likely to be useful after an attacker already gains some access. That said, AD FS is exactly the type of identity infrastructure attackers want once they are inside a network, because it sits in the authentication path for the rest of the environment.
At the time of writing, there is no public CVE-2026-56164 PoC, and no publicly detailed CVE-2026-56155 IOCs in the cited reporting. That means defenders should focus less on signature-based detection and more on exposure reduction, patch deployment, and post-compromise review of the systems most likely to be abused.
CVE-2026-56164 and CVE-2026-56155 Mitigation
Microsoft’s recommended response is straightforward: patch both flaws immediately. For SharePoint, enabling AMSI in Full Mode can help blunt attacks, but patching remains the priority because the July updates also close additional SharePoint weaknesses that attackers may chain together. That makes CVE-2026-56164 detection less about waiting for perfect telemetry and more about confirming which servers are exposed, internet-facing, and still unpatched.
For AD FS, the fix is bundled into Windows and Windows Server updates, and Microsoft has also started hardening the access control list on the AD FS Distributed Key Manager container. In practice, CVE-2026-56155 mitigation should be treated as both a patching exercise and an identity-tier hardening exercise.
To Detect CVE-2026-56155, security teams should prioritize federation servers, validate that the relevant updates have been applied, and review for suspicious local privilege changes or abuse of identity infrastructure. The same logic applies to SharePoint: inventory all on-prem servers, patch quickly, and review whether any externally reachable instances have shown signs of unusual access or post-authentication abuse since the earliest observed exploitation window.
Disclaimer: Detection content may not be available for every CVE. Check the SOC Prime Platform for current coverage. If you don’t find relevant detections now, please check back later.
FAQ
What are CVE-2026-56164 and CVE-2026-56155 and how does it work?
CVE-2026-56164 is an actively exploited elevation-of-privilege flaw in on-prem Microsoft SharePoint Server that is remotely exploitable in low-complexity attacks. CVE-2026-56155 is an actively exploited elevation-of-privilege flaw in Active Directory Federation Services that begins from local low privileges and can help attackers pivot deeper into identity infrastructure.
When were CVE-2026-56164 and CVE-2026-56155 first discovered?
The public reports do not disclose a private discovery date for either issue. What is known is that Microsoft publicly shipped fixes in July 2026 and credited incident responders for both, which strongly suggests discovery during real-world attack investigation.
What is the impact of CVE-2026-56155 on systems?
The most serious impact of CVE-2026-56155 is privilege escalation on an AD FS host, which can matter far more than the local-access requirement implies because AD FS signs and brokers identity trust across the environment. In the wrong hands, compromise of that role can support broader lateral movement and follow-on abuse.
Can CVE-2026-56164 and CVE-2026-56155 still affect me in 2026?
Yes. Organizations can still be exposed in 2026 if they have not applied the July 2026 Microsoft updates, especially if they run internet-facing on-prem SharePoint or maintain AD FS servers that are already accessible to attackers through an existing foothold.
How can I protect myself from CVE-2026-56164 and CVE-2026-56155?
Patch immediately, enable AMSI Full Mode on SharePoint as an added control, deploy the bundled Windows and Windows Server updates for AD FS, and review your most sensitive collaboration and identity systems for signs of post-compromise abuse. In this case, speed matters more than waiting for fuller public exploit disclosure.