Published Thursday, July 16, 2026 at 06:17 AM PT

<strong>BREAKING: Two Microsoft Zero-Days Actively Exploited in SharePoint and AD FS</strong>

BLUF: Microsoft has patched two actively exploited zero-day vulnerabilities affecting on-premises SharePoint Server (CVE-2026-56164) and Active Directory Federation Services (CVE-2026-56155) as part of July 2026 Patch Tuesday. Organizations running these services should prioritize patching immediately. Exploitation is confirmed in the wild.


DETAILS:

  • CVE-2026-56164 targets on-premises Microsoft SharePoint Server with remote exploitation capability; active exploitation confirmed
  • CVE-2026-56155 affects Active Directory Federation Services (AD FS); active exploitation confirmed
  • Both vulnerabilities were zero-day at time of discovery and included in Microsoft’s July 2026 Patch Tuesday release
  • Patches are available; specific CVSS scores and technical attack vectors not yet fully detailed in available reporting
  • Note: Source material truncated; complete technical specifications require access to full Microsoft advisory

IMPACT:

  • Scope: Organizations operating on-premises SharePoint Server and/or AD FS deployments are directly at risk
  • Criticality: High — both services are core identity and content infrastructure; compromise could enable lateral movement, data exfiltration, and persistent access
  • Affected Versions: Specific version ranges uncertain pending full advisory review; assume all supported on-premises deployments require assessment

RECOMMENDED ACTIONS:

  1. Immediate: Identify all on-premises SharePoint Server and AD FS instances in your environment
  2. Urgent: Apply Microsoft July 2026 patches to both services; prioritize AD FS as identity infrastructure
  3. Monitor: Review authentication logs and SharePoint access logs for anomalous activity dating back 30+ days
  4. Assess: Determine if either service was exposed to untrusted networks during zero-day window
  5. Plan: If patching cannot be completed within 48 hours, consider temporary network isolation of affected systems

SOURCES:

  • SOC Prime threat intelligence
  • Microsoft July 2026 Patch Tuesday advisory (partial)