What Happened
On July 14, 2026 Microsoft released its largest Patch Tuesday on record – 622 security updates across Windows, Office, Azure, and more. Two of those patches address actively‑exploited zero‑day vulnerabilities: CVE‑2026‑56164 in on‑premises SharePoint Server and CVE‑2026‑56155 in Active Directory Federation Services (AD FS) [1]. Both flaws allow privilege escalation without user interaction.
Technical Analysis
CVE‑2026‑56164 is an elevation‑of‑privilege bug in SharePoint Server that lets an unauthenticated attacker remotely gain administrative rights over the SharePoint farm. Microsoft attributes its discovery to Mandiant and Google’s FLARE team, indicating active exploitation in the wild [1]. CVE‑2026‑56155 targets AD FS, a federation service that issues authentication tokens. An already‑authenticated attacker can locally elevate to full administrator on the AD FS host, effectively compromising the entire identity infrastructure [2]. A third notable issue, CVE‑2026‑50661, is a BitLocker bypass that requires physical access but could enable attackers to exfiltrate encrypted data from compromised devices [3].
Who’s Affected
Any organization running self‑hosted SharePoint Server 2016/2019 or later, and any environment that relies on AD FS for single‑sign‑on, is directly vulnerable. Because AD FS token issuance underpins many SaaS integrations, the impact spans cloud applications, VPNs, and on‑premise services. The BitLocker bypass primarily concerns devices that still use BitLocker without hardware‑based TPM protection.
How to Protect Yourself
Apply the July 2026 cumulative update immediately – use WSUS, SCCM, or Intune to push the SharePoint and AD FS patches.
Enable AMSI (Anti‑Malware Scan Interface) in full mode on SharePoint servers as Microsoft recommends.
Audit all AD FS service accounts for excessive privileges and rotate their passwords.
Verify that BitLocker‑protected devices have TPM‑bound keys; if not, enforce TPM enrollment.
Run Microsoft’s Patch Tuesday compliance script to confirm no lingering vulnerable binaries.
The Sable Angle
At Sable we run automated scans that surface zero‑day chains before they hit production. Our proprietary research pipeline flags any AD FS or SharePoint misconfigurations that could amplify these exploits. If you need a rapid assessment of your federation surface or a hardened SharePoint deployment, check out our pricing page or dive into our in‑depth analysis. Our advisory team can help you lock down credential issuance and verify BitLocker integrity across your fleet.
Top comments (0)