SharePoint, AD FS Zero-Days Actively Exploited
Microsoft released 622 Common Vulnerabilities and Exposures (CVEs) as part of its July 2026 Patch Tuesday. The update includes critical fixes for two zero-day vulnerabilities: CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in Active Directory Federation Services (AD FS). Threat actors actively exploit both flaws in targeted attacks. The discovery of these flaws was credited to a collaboration between incident response teams, specifically Mandiant and Google's FLARE team for the SharePoint vulnerability, and Microsoft's DART incident response unit for the AD FS flaw.
The privilege escalation vulnerability in SharePoint Server, CVE-2026-56164, allows an unauthenticated attacker to remotely elevate privileges across the network, posing a significant risk to organizations managing self-hosted SharePoint environments. CVE-2026-56155 in Active Directory Federation Services enables an authenticated attacker to achieve local privilege escalation through weak access controls. These flaws demonstrate the persistent threat to core identity and collaboration infrastructure.
This release completes Microsoft's multi-year effort to harden Kerberos RC4. This requires administrators to verify all service accounts use stronger AES keys to avoid authentication failures. The volume of this month's patches and the immediate threat from actively exploited zero-days require rapid and strategic patch management.
Which Microsoft zero-days are under active exploitation?
Two zero-day vulnerabilities, CVE-2026-56164 and CVE-2026-56155, are confirmed under active exploitation by threat actors. These flaws represent immediate risks to affected organizations running Microsoft products.
CVE-2026-56164 is an elevation-of-privilege vulnerability in SharePoint Server. This flaw allows an unauthenticated attacker to escalate privileges over the network without requiring user interaction or prior credentials. The discovery and reporting of this vulnerability were attributed to the incident response teams at Mandiant and Google's FLARE team, indicating its presence in real-world attacks. Organizations operating self-hosted SharePoint installations are vulnerable, as SharePoint Server 2016 and 2019 reached the end of their extended support with this patch release. Beyond patching, Microsoft recommends enabling AMSI in Full Mode on the server to mitigate potential exploitation. SharePoint has been a target before; previous incidents, such as the ToolShell chain in 2025, showed its attractiveness to attackers.
CVE-2026-56155 affects Active Directory Federation Services (AD FS) and also permits an attacker to elevate privileges. This vulnerability requires an already-authenticated attacker to gain local privilege escalation, primarily due to weak access controls. Microsoft's DART incident-response unit is credited with its discovery, suggesting its identification during active incident investigations. While labeled "local," the compromise of an AD FS server is critical, as it is responsible for signing tokens for an entire enterprise, potentially affecting broad authentication trust. Microsoft has not disclosed the specific privileges granted or the method of exploitation.
Microsoft also addressed a third zero-day, CVE-2026-50661, a BitLocker bypass. This vulnerability requires physical access to the device for exploitation, making it a lower-priority concern than the remotely exploitable or actively attacked flaws. The July release included a fix for CVE-2026-55040, a SharePoint JWT authentication bypass discovered by Rapid7 Labs during Pwn2Own Berlin. This flaw, while rated with varying severity (5.3 by Rapid7, 9.1 by ZDI), is important because it can be combined with an unpatched remote code execution (RCE) vulnerability, expected to be fixed in August, to achieve unauthenticated RCE.
This month's update finalized Microsoft's multi-year Kerberos RC4 hardening initiative. The RC4DefaultDisablementPhase rollback switch, which allowed temporary exceptions for RC4 usage, has been removed. This means that RC4 will now only function for accounts explicitly configured to permit it. Service accounts relying on RC4 Kerberos tickets without explicit configuration or an update to AES keys may experience authentication failures post-patch. Organizations must audit their environments for RC4 dependencies and update affected service account passwords to generate AES keys before applying the patches. This change prevents operational disruptions rather than immediate security breaches. For more information on critical Microsoft patches, refer to our analysis on Microsoft zero-day patch updates.
The 622 CVEs in this Patch Tuesday include 416 vulnerabilities in Windows alone. ZDI identified 95 remote code execution bugs across the release. Other areas receiving fixes include Office (82 CVEs), Microsoft Edge (46 CVEs), and Developer Tools (27 CVEs across Visual Studio, VS Code, and GitHub Copilot). SharePoint Server received 17 fixes, including the exploited zero-day, the Rapid7 JWT bypass, and a Critical RCE pair (CVE-2026-50522 at 9.8). SQL Server received 8 fixes, including two RCEs (CVE-2026-54117 and CVE-2026-54118). Microsoft Defender received 5 updates, including two Critical RCEs; for more context on Defender vulnerabilities, our post on Microsoft Defender zero-days provides additional information. Exchange Server received 5 fixes, including a stored XSS in Outlook Web Access, CVE-2026-55008, rated 9.6. This update volume was partially anticipated, as Microsoft previously indicated a higher number due to AI-powered vulnerability discovery systems like MDASH.
How did attackers compromise AsyncAPI npm packages?
Threat actors compromised four @asyncapi npm packages by gaining push access to their GitHub repositories and using the projects' legitimate GitHub Actions release pipelines to distribute multi-stage botnet malware named Miasma. The attack compromised the CI/CD pipeline itself, rather than involving the theft of an npm token, as reported by security researchers from OX Security, SafeDep, Socket, and StepSecurity.
The affected packages included:
- @asyncapi/generator-helpers@1.1.1
- @asyncapi/generator-components@0.7.1
- @asyncapi/generator@3.3.1
- @asyncapi/specs(v6.11.2, v6.11.2-alpha.1)
Attackers injected malicious JavaScript implants into these packages. Unlike previous supply chain attacks that relied on install hooks, the malicious code here executed when the infected module was loaded by Node.js. This method meant the malware triggered during normal generator use, for example, within a build or CI job, not at installation. Upon execution, the code launched a detached background node that downloaded an encrypted second-stage payload, identified as Miasma, from IPFS at ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9.
The Miasma tasking framework, comprising 744 modules, operates as a command framework with six independent command-and-control (C2) communication channels. These channels include HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub P2P mesh, and an Ethereum smart contract. The botnet is designed for a range of malicious activities, including credential theft, AI tool poisoning, lateral movement within local area networks (LANs), and worm-like propagation across npm, PyPI, and Cargo registries. It also establishes persistence mechanisms via systemd, crontab, macOS launchd, and Windows Registry autostart keys.
This Miasma variant includes a dead man's switch that monitors a stolen token and triggers a directory wipe if the token is revoked. The malware also has anti-analysis capabilities, avoiding execution on systems identified as sandboxes or virtual environments, or those with their language set to Russian. It also attempts to evade detection by security tools from vendors such as CrowdStrike, SentinelOne, Microsoft Defender, CarbonBlack, Cylance, Osquery, Tanium, and Qualys.
StepSecurity confirmed that the attackers pushed commits under a placeholder git identity, allowing the repositories' legitimate release workflows to publish the malicious packages using npm's GitHub OIDC trusted-publisher integration. The resulting packages carried legitimate SLSA provenance attestations, verifying the project's authorized workflow produced them, but not that the triggering commits were legitimate. All five malicious versions of the @asyncapi packages have since been unpublished from the npm registry.
What is OAuth client ID spoofing in Microsoft Entra ID?
OAuth client ID spoofing is an evasion technique used by at least two distinct threat actors to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments without generating successful sign-in events, evading traditional detection mechanisms. This activity was detailed in research published by Proofpoint.
The technique uses the OAuth client ID, a Globally Unique Identifier (GUID) assigned to applications, which is passed as client_id in authentication requests. Attackers provide syntactically valid but fake client IDs in HTTP POST requests to Microsoft's OAuth 2.0 token endpoint, specifically using the Resource Owner Password Credentials (ROPC) flow. This method exploits a "blind spot" in cloud sign-in telemetry.
Microsoft Entra ID returns different error responses based on whether a supplied OAuth client ID is valid. Attackers analyze these AADSTS error codes to infer valid usernames and correct passwords at scale. When a spoofed client ID is used, only the application ID is recorded in the Entra sign-in log, leaving the application name field blank. This absence of a named application allows the activity to bypass detection rules that monitor for surges in attempts against specific application names or trigger rate limiting.
Proofpoint identified two large-scale campaigns using this technique since late December 2025:
- UNK_pyreq2323: This campaign operated from January to March 2026, using over 700,000 spoofed client IDs sourced from Amazon Web Services (AWS) infrastructure. It targeted more than 1 million accounts across nearly 4,000 tenants, leading to lockouts for approximately 28% of the targeted users due to failed authentication attempts. This threat actor modified the trailing digits of known application IDs and reused these spoofed IDs across up to 12 users.
- UNK_OutFlareAZ: Beginning in December 2025, this campaign used Cloudflare infrastructure. It targeted over 2 million users with 3.7 million randomized spoofed application IDs. Unlike UNK_pyreq2323, this actor generated a unique client ID for each request and enumerated users alphabetically.
Both campaigns demonstrate patterns consistent with the use of precompiled username wordlists. While the problem of OAuth client ID spoofing is currently specific to Microsoft, Yaniv Miron, director of threat research at Proofpoint, indicated that other identity providers might be exposed to similar issues. Organizations that scope Conditional Access policies to specific applications to mitigate enumeration attacks may find these policies ineffective against spoofed client IDs, because the activity does not register against a known application.
Technical Takeaways
- Microsoft's July 2026 Patch Tuesday addressed 622 CVEs, including two actively exploited zero-days, CVE-2026-56164 in SharePoint Server and CVE-2026-56155 in Active Directory Federation Services (AD FS).
- The Miasma botnet malware was distributed through a supply chain attack involving four compromised @asyncapi npm packages, using compromised GitHub CI/CD pipelines, not stolen npm tokens.
- Threat actors use OAuth client ID spoofing against Microsoft Entra ID to validate stolen credentials and enumerate user accounts without generating successful sign-in events, which bypasses existing telemetry and detection mechanisms.
- Microsoft has completed its Kerberos RC4 hardening, removing the RC4DefaultDisablementPhase rollback switch; service accounts still relying on RC4 without AES key updates may face authentication failures.
- The high volume of patches and the presence of actively exploited zero-days, regardless of their CVSS severity score, require prioritizing patches based on known exploitation status and direct impact on critical infrastructure.