Decoding the world of cybersecurity

Microsoft patches exploited AD FS and SharePoint flaws

Microsoft’s July security update includes exploited vulnerabilities affecting Active Directory Federation Services and SharePoint Server.

Microsoft patches exploited AD FS and SharePoint flaws
Summary
  • Microsoft’s July 2026 update includes exploited flaws affecting AD FS and SharePoint Server.
  • The affected systems sit close to identity federation, access control, collaboration, and document infrastructure.
  • Organisations running hybrid or on-premises Microsoft estates need to prioritise remediation and review for signs of compromise.

Microsoft has released its July security updates with exploited vulnerabilities affecting Active Directory Federation Services and Microsoft SharePoint Server, two systems that sit close to identity, access, and collaboration risk.

Cisco Talos’ July Patch Tuesday analysis says Microsoft disclosed 622 vulnerabilities across affected products, including 57 marked critical. Talos says Microsoft identified two vulnerabilities as exploited in the wild: CVE-2026-56155, an important-severity elevation of privilege flaw in Active Directory Federation Services, and CVE-2026-56164, a moderate-severity spoofing flaw in SharePoint Server.

The affected systems are more important than the raw patch count. AD FS supports identity federation, authentication flows, and hybrid access architectures. SharePoint Server remains embedded in collaboration, document management, intranet, workflow, and on-premises or hybrid enterprise estates. Exploitation affecting either area can create exposure beyond a single application.

CVE-2026-56155 is described as an AD FS elevation of privilege vulnerability caused by insufficient granularity of access control. Talos says an authorised attacker could use it to elevate privileges locally. CVE-2026-56164 is described as a SharePoint Server spoofing vulnerability caused by missing authentication for a critical function, with potential exploitation over a network by an unauthorised attacker.

Exploitation status should alter patch sequencing for organisations still running affected components. Identity and collaboration systems are valuable targets because they sit near users, documents, workflows, permissions, and trust relationships. Manipulation of identity infrastructure or collaboration platforms can extend into mail, files, business processes, and supplier access.

The July update also exposes the governance complexity of Microsoft estates. Many organisations run a mixture of cloud services, hybrid identity, legacy servers, on-premises collaboration systems, third-party integrations, and line-of-business applications dependent on Microsoft components. Patch governance has to account for service ownership, change windows, backup and rollback planning, and the possibility that exploited flaws require investigation as well as remediation.

SharePoint Server deserves close attention where it is treated as legacy internal infrastructure while still holding sensitive documents and workflows. Internet exposure, weak segmentation, excessive permissions, and delayed patching can make collaboration platforms valuable targets. Even where SharePoint is not directly internet-facing, a foothold elsewhere in the network may allow attackers to exploit internal weaknesses.

AD FS risk is different but equally sensitive. Identity infrastructure underpins access decisions, federation, and trust between environments. Organisations using AD FS should review patch status, service exposure, privileged access paths, and monitoring for unusual authentication or privilege escalation activity.

Microsoft’s update guide should be used for remediation, while Cisco Talos’ July Patch Tuesday analysis provides useful context on exploitation status and affected product areas. The priority is to identify which patched systems sit closest to identity, collaboration, and recoverability, then confirm whether those systems have already been touched by attackers.

×