Microsoft dropped its July 2026 security updates on the 14th, and one fix in particular should grab the attention of any organization still running Active Directory Federation Services (AD FS). CVE-2026-50695 is a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash an AD FS server by sending a carefully crafted packet. No user interaction. No credentials. Just network reachability.
It’s one of seven AD FS DoS flaws Microsoft patched in this bundle, alongside an actively exploited elevation-of-privilege bug — making the July cumulative update a must-test for identity teams.
What’s Inside the July AD FS Patches
CVE-2026-50695 stems from a stack-based buffer overflow in the AD FS service. Microsoft rates it as Important, while the Zero Day Initiative assigns a CVSS score of 7.5, underscoring the low attack complexity and high availability impact. Crucially, the vulnerability is reachable over the network with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N). Successful exploitation simply crashes the AD FS service; there’s no evidence that it can be leveraged for code execution or token theft.
Microsoft confirmed the vulnerability’s technical details and rated the report confidence as “confirmed.” At the time the patches shipped, neither Microsoft nor ZDI had seen public disclosure or active exploitation of CVE-2026-50695.
But this CVE doesn’t sit in isolation. The July update also patches six other AD FS denial-of-service vulnerabilities — many of them based on similar buffer overflow or infinite-loop conditions. And security teams need to be aware of CVE-2026-56155, an AD FS elevation-of-privilege flaw that Microsoft says is already being exploited in the wild. Tom’s Hardware reported on that active threat, noting that attackers can gain SYSTEM-level access on domain controllers under certain conditions. While the two bugs are distinct, the sheer number of AD FS fixes this month signals that the federation service is under fresh scrutiny — and every unpatched server increases the odds of a successful attack.
Why an AD FS Crash Can Mean a Company-Wide Sign-In Outage
AD FS is the trust broker for many hybrid identity environments. Even if your organization has moved most authentication to Microsoft Entra ID, federated domains still route sign-ins through AD FS. The service issues tokens, validates claims, and facilitates single sign-on across Microsoft 365, third-party SaaS apps, and custom LOB applications.
A server crash in AD FS isn’t just an inconvenience. It can instantly block:
- New user sign-ins across all federated applications.
- Token renewals for existing sessions, gradually forcing users out.
- Federation endpoints used by partners and cloud services.
Users won’t see a security alert; they’ll see timeouts, repeated login prompts, or application errors that often flood the help desk. And while load-balanced farms provide redundancy, they don’t offer immunity. If the same crafted packet can reach every node in the farm — perhaps because all servers share the same vulnerability — an attacker can systematically take down the entire authentication front-end.
This is why an availability-focused CVSS score matters so much. Identity infrastructure is a dependency multiplier; knocking out AD FS can deny access to dozens of otherwise healthy applications.
The Patch Is the Fix, but Exposure Reduction Counts
The only complete remedy is deploying the July 14, 2026 cumulative security update to every AD FS and Web Application Proxy server. Because AD FS sits in the critical path, IT teams should follow a staged, validated rollout. Here’s a checklist to keep the farm running while you patch:
- Identify every Windows Server host with the AD FS role — including passive farm members and standby nodes.
- Download and install the applicable July 2026 security update (KB article will vary by OS version).
- For multi-node farms: drain one server from the load balancer, apply the update, reboot, and verify before moving to the next.
- After updating, confirm the AD FS service starts and the server rejoins its farm. Check that internal and external federation endpoints (e.g., /adfs/fs/federationserverservice.asmx, /adfs/ls/IdpInitiatedSignon.aspx) respond correctly.
- Test authentication flows: SAML sign-in to Office 365, OAuth2/OpenID Connect to a representative app, and any WS-Federation or claims-aware legacy application your organization uses.
- Review AD FS Admin and System event logs for service crashes, certificate access errors, or proxy trust problems.
Leaving even one unpatched node leaves the farm vulnerable, so move through the full farm as quickly as safely possible. And during the patch window, temporarily enabling more verbose logging or an additional network monitoring rule can help catch any unusual traffic aimed at the federation endpoint.
Beyond patching, harden your network posture. AD FS servers should never be directly exposed to the internet. Use Web Application Proxy servers in the DMZ to publish federation endpoints. Restrict inbound access to the back-end AD FS servers to only those ports and sources required by the proxies and domain controllers. And if you have management or administrative interfaces (e.g., WinRM, RDP) accessible from untrusted networks, lock those down now — they aren’t needed for daily federation and only expand the attack surface.
How We Got Here: AD FS’s Enduring Role and Old-School Bugs
AD FS has been a staple of enterprise identity since the Windows Server 2008 days. Even as Microsoft encourages migration to Entra ID and modern authentication, a huge number of organizations still run on-premises federation servers because of complex application chains, partner trusts, or compliance requirements.
Stack-based buffer overflows are a class of vulnerability that many thought were largely eliminated by modern development practices — but they keep appearing. In AD FS’s case, the flaw likely arises from insufficient input validation when parsing certain types of federation metadata or authentication requests. That an unauthenticated attacker can trigger it from outside the network highlights why defense-in-depth is non-negotiable.
The clustering of seven AD FS DoS fixes in a single month suggests either a coordinated internal audit or a surge in external vulnerability research. The concurrently exploited elevation-of-privilege bug (CVE-2026-56155) adds even more urgency — attackers are clearly targeting AD FS right now.
What to Watch Next
At the time of writing, there’s no evidence of active exploitation of CVE-2026-50695. But with patch details now public, proof-of-concept code is likely to surface within weeks. Internet-facing federation servers without the July update will become low-hanging fruit.
For organizations that have been planning to eliminate AD FS entirely, this is another compelling data point. Migrating to Entra ID password hash synchronization or pass-through authentication removes the federation middleman and all its associated patching burden. But until that migration is 100% complete — including all relying parties, all fallback paths, and all proxy infrastructure — you still need to patch the AD FS servers you have.
The immediate to-do is simple but urgent: get the July 14, 2026 updates onto every AD FS server, test authentication end-to-end, and tighten network access. Don’t wait for attackers to weaponize a crash that needs no password.