Microsoft July Patch Tuesday Fixes AD FS and SharePoint Zero-Days

Microsoft fixed exploited AD FS and SharePoint Server zero-days in July Patch Tuesday. Prioritize CVE-2026-56164 and CVE-2026-56155 before routine CVEs.

Microsoft’s July 2026 Patch Tuesday should be sorted by exploitation first, not by the biggest CVSS number. Two vulnerabilities from the release are already marked as exploited by Microsoft and were added by CISA to the Known Exploited Vulnerabilities catalog on July 14: CVE-2026-56164 in Microsoft SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.[1]

The SharePoint bug has the shorter federal clock. CISA lists CVE-2026-56164 with a July 17, 2026 due date, while the AD FS flaw has a July 28 due date.[1] For private organizations, the dates are still useful triage signals: SharePoint is an internet-reachable collaboration platform in many environments, and AD FS sits close to the identity layer that other systems trust.

CVE-2026-56164 is a missing-authentication flaw in Microsoft Office SharePoint that can allow an unauthenticated attacker to elevate privileges over the network. Microsoft rates it Moderate with CVSS 5.3, but the advisory also marks exploitation as detected and says the attack vector is network, attack complexity is low, no privileges are required, and no user interaction is needed.[2] That combination matters more than the severity label.

Microsoft lists affected SharePoint products as SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The July fixes are KB5002882 for Subscription Edition, KB5002883 for SharePoint Server 2019, and KB5002891 for SharePoint Enterprise Server 2016, with fixed builds 16.0.19725.20434, 16.0.10417.20175, and 16.0.5561.1001 respectively.[2]

CISA’s separate SharePoint hardening alert raises the urgency further because it groups the new CVE with earlier exploited SharePoint flaws, CVE-2026-32201 and CVE-2026-45659, and warns about active exploitation against on-premises SharePoint instances.[3] HowToFix covered SharePoint Server CVE-2026-45659 earlier this month; the new item should be treated as a continuation of the same operational risk for self-hosted SharePoint, not as a disconnected low-score patch.

What Admins Should Prioritize

Start with exposed SharePoint farms. Confirm the exact product line, installed build, internet exposure, and whether AMSI integration is enabled. Microsoft’s CVE-2026-56164 advisory specifically calls out AMSI integration with SharePoint Server and Full request-body scan mode as a mitigating control that can help detect payloads in SharePoint and IIS worker process memory.[2] Mitigation is not a substitute for patching, but it is a useful control while maintenance windows are being executed.

Administrators should also review SharePoint logs and web server telemetry for unexpected access patterns, newly changed application files, unusual authentication paths, and evidence that an attacker chained old and new SharePoint bugs. CISA’s alert tells organizations to detect and remediate possible compromise, which means the response should include validation of server state and credentials, not only installation of a cumulative update.[3]

CVE-2026-56155 is different but still important. Microsoft describes it as an insufficient-granularity access-control flaw in AD FS that allows an authorized local attacker to elevate privileges. The advisory rates it Important, gives it CVSS 7.8, and says a successful attacker could gain administrator privileges.[4] Because AD FS signs and brokers trust for other applications, a local privilege issue on that system can become an identity incident if an attacker already has a foothold.

MSRC lists 15 affected product entries for CVE-2026-56155 across supported and extended-support Windows Server lines and related Windows packages, including Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 update tracks. The listed KBs include KB5099444, KB5099445, KB5099535, KB5099536, KB5099538, and KB5099540, and the relevant updates require a reboot.[4] AD FS operators should confirm the exact OS build and update package rather than assuming a generic Windows patch window covers the role.

For AD FS, the practical checklist is short: identify every federation server and proxy, patch and reboot in a controlled order, verify service health after update, review recent local logons and administrative group changes, and check whether any service accounts or token-signing operations were touched during the suspected exposure window. If identity infrastructure is already under investigation, connect this item with broader Microsoft 365 token and phishing risk, such as the recent Evilginx Microsoft 365 device-code phishing activity.

The wider Patch Tuesday release contains hundreds of fixes, and outside researchers counted the total differently depending on whether duplicate product tracks were included. That count is less important than the priority order. The two exploited CVEs should come before routine “critical” items that have no active-exploitation signal, much as previous Microsoft Defender zero-day response work depended on exploit status rather than headline score.

One caution for change management: SharePoint and AD FS updates can affect authentication flows, farm health, and dependent applications. Test where possible, but do not let testing queues bury the exploited items. For internet-facing SharePoint, assume that patching, AMSI validation, and compromise review belong in the same work ticket.

References

  1. CISA. Known Exploited Vulnerabilities Catalog, entries added July 14, 2026 for CVE-2026-56164 and CVE-2026-56155. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  2. Microsoft Security Response Center. CVE-2026-56164: Microsoft SharePoint Server Elevation of Privilege Vulnerability. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-56164
  3. CISA. CISA Urges SharePoint Hardening After New Exploitations, July 14, 2026. https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
  4. Microsoft Security Response Center. CVE-2026-56155: Active Directory Federation Services Elevation of Privilege Vulnerability. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-56155
  5. Tenable. July 2026 Patch Tuesday: Largest Patch Tuesday 569 CVEs, July 14, 2026. https://www.tenable.com/blog/microsofts-july-2026-patch-tuesday-addresses-569-cves-cve-2026-56155-cve-2026-56164

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment