The Cybersecurity and Infrastructure Security Agency added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on July 14, 2026. Two of them — flaws in Microsoft Active Directory Federation Services and SharePoint Server — landed on the same day as Microsoft’s July Patch Tuesday release. For administrators running Windows Server or SonicWall appliances, it’s not just another patch cycle; it’s a race to close doors that attackers are already walking through.

The Four Flaws at a Glance

The new KEV entries are CVE-2026-15409, CVE-2026-15410, CVE-2026-56155, and CVE-2026-56164. Each has one thing in common: CISA says there is evidence of active exploitation. Here’s what you need to know about each.

SonicWall SMA1000: A Gateway Under Fire

CVE-2026-15409 is a server-side request forgery vulnerability in the WorkPlace interface of SonicWall SMA1000 appliances. A remote, unauthenticated attacker can force the appliance to make requests to unintended destinations. That turns a trusted edge device into a pivot point. If the attacker can reach internal systems through SSRF, they may gather information or reach administrative services not exposed to the internet.

CVE-2026-15410 is a code injection vulnerability in the same product line. CISA included both on the same day, which raises the possibility that attackers are chaining them together. No confirmed exploit chain is public, but the combination of SSRF and code injection on a remote-access gateway is a nightmare scenario.

Administrators with SMA1000 appliances — including standby and disaster-recovery nodes — need to move fast. Check SonicWall’s security advisories for patched firmware versions. Until you can update, restrict management interfaces to trusted networks only. And don’t stop at patching; review authentication logs, new accounts, outbound connections, and any configuration changes. Because the KEV listing confirms prior exploitation, assume any unpatched appliance is backdoored until proven otherwise.

AD FS: Your Federation Keys Might Be Up for Grabs

CVE-2026-56155 affects Microsoft Active Directory Federation Services. The vulnerability lies in an access control list on the Distributed Key Manager container in Active Directory. If the ACL is too permissive, an authorized local attacker can read the DKM material and decrypt the private keys that protect token-signing and token-encryption certificates.

This isn’t a garden-variety privilege escalation. If someone owns your token-signing keys, they can forge authentication tokens for any federated user. That could compromise cloud services, on-premises apps, and any identity that trusts the AD FS farm.

Microsoft released a security update on July 14 that adds monitoring. After you install the update and restart the AD FS service, the system checks the DKM container ACL at startup and every 24 hours. If it finds an insecure configuration, it logs Event ID 1132 in the AD FS Admin event log. But — and this is critical — the first phase does not automatically fix the ACL.

For Windows Server 2016 and later, you can opt into remediation by setting the registry value RemediateDkmAcl to 1. If you do nothing, Microsoft plans to enable automatic remediation on October 13, 2026. Windows Server 2012 and 2012 R2 need an extra step: the AD FS service account must be granted permission to modify the container before you can flip the switch.

SharePoint Server: No Authentication Required

CVE-2026-56164 affects Microsoft SharePoint Server. CISA describes it as missing authentication for a critical function. Microsoft classifies it as an elevation of privilege. SecurityWeek and BleepingComputer report that exploitation can occur over the network without any credentials.

This kind of flaw is a welcome mat for attackers targeting on-premises SharePoint farms. No need for a user account; a simple network request can trigger code. The fix is included in the July 2026 SharePoint updates, but be warned: installing the Windows Update package alone is not enough. You must deploy the correct SharePoint update on every server in the farm and then run the SharePoint Products Configuration Wizard (or its PowerShell counterpart) on each one.

Don’t forget application servers, search servers, or any node hiding behind a reverse proxy. If even one server lags, the farm remains exposed. After updating, comb through logs for unauthenticated requests, unexpected new files, anomalous PowerShell execution, or shifts in farm and site-collection permissions.

Why This Matters for Windows Administrators

The KEV catalog is not a severity ranking. CISA only adds a vulnerability when it has direct evidence that attackers are using it in the wild. That makes it a much stronger prioritization signal than a CVSS score alone. Under Binding Operational Directive 26-04, federal civilian agencies must remediate these flaws rapidly and determine whether compromise occurred before patching. That guidance applies to everyone, not just government networks.

For these four vulnerabilities, the threat is immediate and the attack surface is wide. SonicWall appliances sit right on the internet. AD FS farms are the front door to federated identities. SharePoint servers often expose document management and collaboration tools to untrusted networks. An attacker who gains even partial access to any of these systems can cause enormous damage.

The Timeline of Disclosure

All four CVEs were added to the KEV catalog on July 14, 2026. The same day, Microsoft released its July Patch Tuesday updates, which included fixes for CVE-2026-56155 and CVE-2026-56164. Microsoft confirmed both as exploited zero-days. SonicWall had already published advisories for the SMA1000 flaws.

The tight timeline suggests coordinated disclosure for the Microsoft issues, though neither CISA nor the vendors have named threat actors or targeted organizations. The lack of public attack details means defenders must hunt broadly for signs of compromise, not wait for a published IOCs.

How to Protect Your Systems Now

Patching is the first step, but the KEV listing also demands a breach assessment. Here’s a practical checklist.

For SonicWall SMA1000 admins:
- Identify every appliance, including disaster-recovery nodes.
- Update firmware to the latest version recommended by SonicWall.
- If you can’t patch immediately, restrict the WorkPlace interface and management ports to trusted networks only.
- Review authentication logs, administrative changes, new accounts, and unexpected outbound connections.
- If you see anything suspicious, rotate credentials and invalidate active sessions.

For AD FS admins:
1. Install the July 14, 2026 security update (or a later cumulative update) on all AD FS servers.
2. Restart the AD FS service and look for Event ID 1132 in the AD FS Admin event log.
3. If the event appears, your DKM container ACL is too permissive. Validate the current permissions, especially if you use custom service accounts or delegated administration.
4. To remediate, set RemediateDkmAcl = 1 under HKLM\SOFTWARE\Microsoft\ADFS\Parameters. (On Server 2012/2012 R2, run the provided PowerShell script to grant the service account access first.)
5. If you find evidence that an attacker may have read the DKM container, rotate all token-signing and token-encryption certificates. Regenerate federation metadata and plan for a broader credential reset.

For SharePoint admins:
- Inventory every server in the farm, including front-ends, application servers, and search nodes.
- Download and install the July 2026 SharePoint security update for your version.
- Run the SharePoint Products Configuration Wizard (or PSConfig.exe) on each server.
- Verify the farm’s patch status in Central Administration.
- Search your SharePoint ULS logs, IIS logs, and security event logs for suspicious activity: unexpected unauthenticated hits, new files in the _layouts directory, application pool anomalies, or unauthorized PowerShell execution.

General advice:
- Prioritize internet-facing assets first: SonicWall gateways and SharePoint web front ends.
- Then move to AD FS servers, even if they are not directly reachable from the internet. A stolen token can be used anywhere.
- Use the KEV catalog as a standing to-do list for risk-based vulnerability management. It’s not just about these four CVEs; it’s about building a process that treats actively exploited flaws as drop-everything emergencies.

What Comes Next

Microsoft’s phased approach to AD FS remediation means many organizations will not have a locked-down DKM ACL until October. That’s a long window for attackers who may already have a foothold. Don’t wait — audit now and opt into remediation if you can. As more attack details eventually surface, defenders will get a clearer picture of the post-exploitation techniques to hunt for. In the meantime, treat these four vulnerabilities as active incidents until you have proof otherwise.

The CISA KEV catalog will keep growing. The best defense is to integrate it into your patch-and-hunt rhythm, not treat it as an occasional alarm. Today’s entries are a stark reminder: remote access, identity, and collaboration systems are the attackers’ favorite targets. Patch them like your business depends on it — because it does.