570 Fixes, Two Live Zero-Days, and Both Are Privilege Bugs in Plumbing You Forgot You Run. ADFS Is the Shingles of Your Network.
- Patrick Duggan
- 2 hours ago
- 5 min read
Microsoft's July 14 Patch Tuesday closed 570 vulnerabilities — 59 of them Critical — and three zero-days. Two of those zero-days are being exploited in the wild right now. Here is the part that should reorganize your patch queue: neither of the two exploited bugs is a remote-code-execution flaw. Both are elevation of privilege. And both were found by incident responders picking through live breaches, not by researchers in a lab.
One is CVE-2026-56164 in SharePoint, which we wrote about this morning. The other is CVE-2026-56155 in Active Directory Federation Services. I will be honest: when the KEV entry first crossed my desk, I filed ADFS under "thin" — a local privilege-escalation bug that needs an already-authorized attacker, the kind of thing that reads like a footnote next to an unauthenticated internet-facing RCE. That was wrong, and the reason it was wrong is the whole point of this post.
Shingles
ADFS is the shingles of an enterprise network.
Chickenpox does not leave when the spots clear. The virus retreats into your nerves and sits there, dormant, for decades — quiet, forgotten, doing nothing — until one day it reactivates as shingles, and shingles is not a childhood nuisance. It follows a nerve line and it hurts.
You deployed ADFS years ago. It was how you did single sign-on before the cloud identity providers ate that job. Then you migrated to Entra, or Okta, or Ping, and you moved on. But the ADFS farm is almost certainly still there — still domain-joined, still trusted by things you have not audited since the migration, still holding the token-signing keys that let it vouch for identities across your estate. Dormant. Forgotten. Unpatched, because nobody owns it anymore. Unwatched, because it fell off the diagram.
That is the box CVE-2026-56155 flares up in.
Why "Local" and "Authorized" Do Not Mean "Safe"
The caveat that made me call it thin — an attacker needs low-privilege authenticated access to the host first — is exactly why it is dangerous. It is not the front door. It is the second move.
Think about how the other zero-day in this same Patch Tuesday works. CVE-2026-56164 lets an unauthenticated attacker onto a SharePoint server over the network. That is the foot in the door. Now the attacker is authenticated to something inside your environment, which is precisely the precondition CVE-2026-56155 asks for. The edge flaw gets them in; the ADFS flaw turns that foothold into control of the machine that mints identity for everyone. Chain the two and you have gone from "internet stranger" to "trusted issuer of who-is-who" in two hops, using two bugs Microsoft patched on the same day.
ADFS is insufficient-granularity-of-access-control here, and Microsoft's fix specifically hardened the AD FS Distributed Key Manager container — the part that guards the signing keys. Those keys are the crown jewels. An attacker who reaches them does not need to breach each downstream application. They forge the tokens those applications already trust and walk in as anyone. This is the on-premises version of the exact failure mode we have covered all year on the cloud side: steal the trust-broker's tokens and the whole federation opens.
That is our honest comparator on this one. We did not pre-stage CVE-2026-56155 — Microsoft's own DART team found it inside an active intrusion, and nobody outside the attacker beats a discovery like that. What we have is the pattern, tracked for months: UNC6395 and the Salesloft Drift OAuth breach, the third Salesforce OAuth theft in twelve months, the stolen GitHub token that let an actor walk 1.3 terabytes out of Novo Nordisk. Every one of those was the same physics — do not break the app, steal the credential the app trusts. ADFS is where that physics lives on-prem, and yesterday it became a live zero-day.
CISA Already Told You the Sort Order
In the SharePoint hardening advisory it published the same day, CISA said to prioritize internet-facing SharePoint servers and AD FS infrastructure — by exposure, not by CVSS score. Read that again. The agency named ADFS in the same breath as the internet-facing RCE, and it explicitly told you to stop sorting your response by the severity number in the bulletin.
That is the lesson underneath a 570-CVE Patch Tuesday. You cannot patch 570 things at once, so something has to decide the order, and if that something is the CVSS column you will spend your first day on high-scoring bugs behind three firewalls while the two actually-exploited privilege flaws sit unpatched on the boxes attackers can reach. Exposure decides urgency. Reachability decides urgency. The two zero-days being exploited this week are a CVSS 7-ish EoP and another EoP — mid-scoring bugs that are the actual emergency, because they are the ones in the wild.
The Meta: This Was an AI-Sized Patch Tuesday
570 fixes is not a normal month. Microsoft said out loud what drove it: AI-accelerated bug hunting, on both sides of the fence. They are using AI to find flaws in their own code faster, and they are warning that attackers are using AI to find exploitable gaps just as fast. That is why their own guidance has quietly shifted from "patch within weeks" to "patch within three days."
We have been writing that story from the attacker's end for weeks — the AI agent that ran a whole ransomware operation by itself, the malware that narrated its own reasoning in its payload. This is the defender's end of the same curve. The window between a flaw being findable and a flaw being exploited is collapsing because both sides now have a machine reading the code. Three days is not a suggestion anymore. On a box like ADFS that nobody has owned since the migration, three days is a fantasy — which is the real reason it is shingles.
What To Do
Patch CVE-2026-56155 across every Windows Server generation you run ADFS on — 2012 through 2025 are all in scope. But patching a token-signing box does not evict an attacker who already lifted the keys, the same way patching SharePoint does not undo a stolen machine key. If you have any reason to think ADFS was reached, rotate the token-signing and token-decrypting certificates and cycle the Distributed Key Manager keys. Then hunt: look for token issuance you cannot account for and access-control changes on the ADFS host you did not make.
And take the shingles lesson seriously, because it is the one that removes the problem instead of patching it. If you migrated your identity to the cloud and the ADFS farm is still standing only because nobody got around to turning it off, that farm is not infrastructure — it is dormant liability with live keys. Decommission it. The safest ADFS zero-day is the one that lands on a server you already retired. You cannot get privilege-escalated through a trust-broker you no longer run.
I called this one thin this morning. It is one of exactly two things being actively exploited out of 570, it chains cleanly behind the other one, and it lives on the box you forgot you were still carrying. That is not thin. That is shingles.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments