External risk intelligence

AD FS Local Privilege Elevation Vulnerability

CVE advisoryKnown Exploit

CVE-2026-56155

The vulnerability requires an authorized attacker to elevate privileges locally. It does not involve remote network-based exploitation or public-facing interfaces, as the attack vector is restricted to local access within the environment.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A local access control weakness in Active Directory Federation Services could allow an attacker who already has some access to gain higher privileges within the system. This elevates the potential risk of unauthorized actions if this vulnerability is exploited.

  • Local access weakness grants higher system privileges.
  • Confirms local access for potential internal threats.
  • Verify relevance and local exposure.

Attack Path

How an attacker could exploit the issue

An attacker who can already access a system with some level of authorization could exploit this by leveraging weaknesses in how Active Directory Federation Services controls access. This allows them to gain higher privileges on the local system, potentially leading to unauthorized access to sensitive information or further system compromise.

  • Attacker must already have local access.
  • Vulnerability triggered by improper access controls.
  • Risk of local privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

An authorized attacker with local access to Active Directory Federation Services (AD FS) could escalate their privileges. This means an attacker who can already run commands on a system where AD FS is installed could gain higher-level access than they are supposed to have.

  • System access could be elevated.
  • Attacker exploits local privilege escalation.
  • Unauthorized system control may result.

Operational Fix

Recommended remediation, mitigation, and detection steps

The "Insufficient granularity of access control" vulnerability in Active Directory Federation Services (AD FS) requires an authorized attacker to have local access, suggesting that AD FS administrators and potentially internal security operations teams are the primary stakeholders. The immediate practical step is to identify all AD FS deployments, assess their criticality, and confirm ownership to plan remediation.

  • AD FS administrators own the issue.
  • Verify AD FS exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Active Directory Federation Services (AD FS)?

Active Directory Federation Services is a Microsoft software component that provides single sign-on capabilities, allowing users to access multiple applications using one set of credentials across different organizational boundaries. It acts as a security token service, facilitating trust between internal corporate networks and external cloud or partner applications.

What does insufficient granularity of access control mean for CVE-2026-56155?

This weakness, classified as CWE-1220, means the software does not restrict user permissions precisely enough. In this specific CVE, the system fails to properly enforce boundaries for an already authorized user, which allows that person to perform actions or access data that should be off-limits to their assigned account level.

How is this vulnerability triggered?

An attacker must already have local access to the system where AD FS is installed to attempt this privilege escalation. The bug is not triggered by remote network requests or traffic directed at the service over the internet; it requires the attacker to be physically or logically logged into the host machine to manipulate the software.

Why should I care if my AD FS is not internet-facing?

Even if your system is not exposed to the public internet, Halo Surface Signal identifies this as an internal risk. Because the vulnerability requires local access, it is primarily a concern for lateral movement by an attacker who has already gained a foothold within your internal environment.

What are the first steps to manage this risk?

Begin by inventorying all servers in your environment running AD FS to determine which are critical. Once you have identified these assets, work with your administration team to verify ownership and plan for the deployment of official vendor updates as soon as they are made available to mitigate the potential for local privilege escalation.

References