Hot on the heels of the biggest ever Chrome update that saw Google fix 429 security vulnerabilities, Microsoft has also been breaking records. The July Patch Tuesday rollout has addressed 570 vulnerabilities, almost tripling the previous largest update in June. That, however, is not the headline here: Microsoft has warned that two zero-day vulnerabilities, CVE-2026-56155 and CVE-2026-56164, have already been exploited by attackers in the wild. As such, users of Active Directory Federation Services and SharePoint Server need to prioritize these updates.

While Microsoft is no stranger to zero-day attacks ( 1 , 2 , 3 ), the seriousness of actively exploited vulnerabilities should never be played down. Microsoft has yet to disclose any details of how or when the two vulnerabilities were used in attacks, but it has confirmed them as in-the-wild nonetheless. CVE-2026-56155 is listed as an Active Directory Federation Services elevation of privilege vulnerability while CVE-2026-56164 is a Microsoft SharePoint Server elevation of privilege vulnerability.

Microsoft CVE-2026-56155 and CVE-2026-56164 Zero-Days Explained

Jack Bicer, director of vulnerability research at Action1, warned that a successful attack that exploits CVE-2026-56155 could grant administrator privileges, enabling an attacker to gain complete control over the affected system. “In environments using AD FS for authentication and identity services, administrator-level compromise can lead to unauthorized access to sensitive business resources, disruption of critical services, deployment of ransomware, theft of credentials, and broader compromise of enterprise infrastructure.”

As far as the SharePoint Server zero-day is concerned, Adam Barnett, the principal software engineer at Rapid7, told me that “successful exploitation allows an attacker to elevate privileges over a network, with no existing privileges required, and low attack complexity since an attacker does not require significant prior knowledge of the system, and can achieve repeatable success.”

Enterprise security teams are advised to prioritize these vulnerabilities when deploying the latest Microsoft updates. Jon Levenson, a director at Automox, urged them to “patch it first,” in the case of CVE-2026-56155, “ahead of the higher-scoring bugs,” as “active exploitation outranks a bigger number.” Levenson also said that security teams should treat ADFS as a tier-zero identity infrastructure, review who can reach it locally and, once the initial box is patched, “walk the rest of your identity path,” because a privilege escalation such as this one is actually the second step in a chain, not the whole attack. The same patching priority advice applies to CVE-2026-56164, with Levenson adding that teams should also “audit site-owner and elevated-permission grants after patching, in case the access gained here was already used to create one.”