Microsoft Entra ID & Exchange/SharePoint: Multiple Critical Vulnerabilities (CVE-2026-55008, CVE-2026-56164, CVE-2026-55040)
This text was generated using artificial intelligence (AI).On July 13, 2026, Microsoft announced a strategic change to its identity and access management system, Microsoft Entra ID. Starting September 1, 2026, passkeys will be phased in as the default method for multi-factor authentication (MFA). The goal of this measure is to strengthen account security through phishing-resistant login methods while phasing out vulnerable methods such as SMS and voice calls.
The transition affects all organizations using Microsoft Entra ID in the public cloud. Separate timelines will be announced for other cloud environments. The official Microsoft announcement is available in the Microsoft 365 Message Center at MC1426371 available.
Update July 14, 2026: In addition, several critical vulnerabilities in Microsoft Exchange Server, SharePoint Server, and Active Directory Federation Services have been disclosed. CVE-2026-55008 (CVSS 9.6) affects Exchange Server and allows remote code execution. CVE-2026-56164 and CVE-2026-56155 are actively exploited zero-day vulnerabilities in SharePoint and AD FS. CVE-2026-55040 (CVSS 9.1) allows for authentication bypass via JWT token forgery in AD FS. See below for details.
The Facts at a Glance
Passkeys as the standard: Starting September 1, 2026, users will be prompted to register passkeys; starting February 1, 2027, this will be mandatory.
SMS/Voice will be turned off: Microsoft's native services for SMS and voice sign-in will end on February 1, 2027. Third-party integration via the Microsoft Security Store will remain available.
Affected platform: Microsoft Entra ID (Public Cloud).
Critical Exchange Vulnerability: CVE-2026-55008 (CVSS 9.6) affects Exchange Server 2016 CU23, 2019 CU14/CU15, and the Subscription Edition RTM. Remote code execution is possible without authentication; user interaction is required.
SharePoint zero-days currently being exploited: CVE-2026-56164 (Elevation of Privilege) and CVE-2026-50661 affect SharePoint Server 2016, 2019, and the Subscription Edition. Available patches: 16.0.5561.1001, 16.0.10417.20175, 16.0.19725.20434.
Critical AD FS Vulnerabilities: CVE-2026-56155 (Insufficient Access Control) and CVE-2026-55040 (CVSS 9.1, Security Feature Bypass via JWT Token Forging) affect Active Directory Federation Services. CVE-2026-55040 is being actively exploited.
The timeline for the transition
To ensure a smooth implementation, Microsoft has published a phased rollout plan. IT administrators should take note of the following dates:
Effective August 1, 2026: API support will be available to configure a temporary opt-out for the passkey rollout.
Effective September 1, 2026: When logging in via MFA, users are offered the option to register a passkey. Participation is still optional at this stage.
Effective September 18, 2026: Microsoft publishes information about supported third-party telecommunications service providers in the Microsoft Security Store.
Effective October 30, 2026: Administrators can configure third-party telecommunications services in the Microsoft Security Store for SMS and voice sign-in.
Effective February 1, 2027: Microsoft's native SMS and voice services will be discontinued. The prompt to register for a passkey will become mandatory for all affected users and can no longer be skipped.
Need for Action and Options for Administrators
Companies must adapt their authentication strategies to this new framework. The transition period, which runs through February 2027, provides time to prepare internal processes and user communications.
Organizations that continue to rely on SMS- or voice-based authentication must turn to third-party solutions that can be integrated through the Microsoft Security Store. However, Microsoft clearly recommends switching to methods that are completely resistant to phishing.
Users who already use secure methods such as Windows Hello for Business, FIDO2 Security Keys, use certificate-based authentication or smart cards, are not affected by the new registration prompt, according to Microsoft Learn.
Critical Vulnerability in Microsoft Exchange Server (CVE-2026-55008)
In conjunction with the passkey migration, a critical security vulnerability in Microsoft Exchange Server was disclosed on July 14, 2026. The vulnerability, CVE-2026-55008, received a CVSS score of 9.6 and allows remote code execution over the network.
Technical Details
The vulnerability affects the following versions of Exchange:
Microsoft Exchange Server 2016 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 14
Microsoft Exchange Server 2019 Cumulative Update 15
Microsoft Exchange Server Subscription Edition RTM
An attacker can exploit the vulnerability without prior authentication (PR:N), but user interaction is required (UI:R). The attack vector is network-based (AV:N) with low attack complexity (AC:L). If successfully exploited, high impacts on confidentiality, integrity, and availability are possible (C:H/I:H/A:H). The scope is „Changed“ (S:C), which means that the impact may extend beyond the vulnerable component.
Assessment and Recommendations for Action
As of this publication, the patch status is unknown. There is no information available regarding active exploitation or inclusion in the CISA KEV list. Organizations with Exchange servers running the affected versions should continuously monitor the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008 and prioritize the installation of available security updates.
The combination of a high CVSS score, a network-based attack vector, and the potential for remote code execution makes CVE-2026-55008 a critical threat to Exchange infrastructures. Until a patch is available, administrators should consider mitigating measures such as network segmentation, enhanced monitoring, and access restrictions on Exchange services.
Actively Exploited Zero-Days in SharePoint Server (CVE-2026-56164, CVE-2026-50661)
On July 14, 2026, two actively exploited vulnerabilities in Microsoft SharePoint Server were disclosed. CVE-2026-56164 is an elevation-of-privilege vulnerability enabled by a lack of authentication. CVE-2026-50661 is another vulnerability in SharePoint Server; its technical details have not yet been fully disclosed.
Affected Versions and Patches
The vulnerabilities affect the following versions of SharePoint:
Microsoft SharePoint Server 2016 (all versions) < 16.0.5561.1001)
Microsoft SharePoint Server 2019 (all versions) < 16.0.10417.20175)
Microsoft SharePoint Server Subscription Edition (all versions) < 16.0.19725.20434)
Microsoft has released security updates that address these vulnerabilities:
SharePoint Server 2016: Update to Version 16.0.5561.1001
SharePoint Server 2019: Update to Version 16.0.10417.20175
SharePoint Server Subscription Edition: Update to Version 16.0.19725.20434
Urgency and Recommended Action
Since both vulnerabilities are being actively exploited, it is critical to install the patches immediately. Organizations with SharePoint servers should prioritize installing the updates and conduct enhanced monitoring for suspicious activity until the patches are fully implemented. The vulnerabilities allow attackers to escalate privileges within the SharePoint environment, which can lead to data exfiltration, lateral movement within the network, and further compromises.
Critical Vulnerabilities in Active Directory Federation Services (CVE-2026-56155, CVE-2026-55040)
Alongside the SharePoint vulnerabilities, two critical vulnerabilities in Active Directory Federation Services (AD FS) were disclosed. CVE-2026-56155 is a vulnerability caused by insufficient access control. CVE-2026-55040 is a particularly critical security feature bypass vulnerability with a CVSS score of 9.1.
CVE-2026-55040: Authentication Bypass via JWT Token Forging
CVE-2026-55040 allows attackers to bypass authentication by creating forged JWT (JSON Web Tokens). This vulnerability is being actively exploited and poses a significant threat to organizations that use AD FS for federated authentication. A successful attack allows unauthorized access to protected resources without valid credentials.
Technical Assessment and Recommendations for Action
The combination of a high CVSS score (9.1), active exploitation, and the ability to completely bypass authentication makes CVE-2026-55040 one of the most critical vulnerabilities in the latest Microsoft security update. Organizations with AD FS infrastructure must apply available patches immediately and check their authentication logs for anomalies, particularly for unusual JWT token issuances or validations.
Until the patch is fully implemented, administrators should consider the following mitigating measures:
Enhanced Monitoring of AD FS Authentication Events
Review and Strengthening of JWT Token Validation Guidelines
Network Segmentation to Restrict Access to AD FS Servers
Enabling additional authentication factors for critical resources
CVE-2026-56155 also requires prompt installation of the patch, as insufficient access control in AD FS can lead to unauthorized access to federated services.
Relevance for Organizations in Germany, Austria, and Switzerland
This transition is particularly relevant for companies subject to NIS 2 and KRITIS operators in Germany: The use of phishing-resistant authentication methods complies with the requirements for technical security measures under Section 30 of the BSIG. The BSI explicitly recommends FIDO2-based methods and passkeys as strong authentication methods. Organizations that use Microsoft Entra ID as their central identity service should also include the transition in their GDPR-compliant change documentation and verify whether the change to the authentication infrastructure requires internal risk assessments in accordance with ISO 27001.
The Exchange vulnerability CVE-2026-55008, as well as the actively exploited SharePoint and AD FS vulnerabilities, underscore the urgency of a comprehensive Microsoft security management approach. Organizations with Exchange servers, SharePoint installations, or AD FS infrastructure must include these vulnerabilities in their risk assessment in accordance with ISO 27001 Annex A 8.8 (Vulnerability Management) and document them. The active exploitation of CVE-2026-56164, CVE-2026-50661, and CVE-2026-55040 requires immediate incident response readiness and prioritized patch installation.
Organizations subject to NIS 2 must comply with the requirement to report security incidents: If there are indications that zero-day vulnerabilities have been successfully exploited, a report to the relevant supervisory authority may be required.
Classification from the EASM and VRM Perspectives
A change in authentication methods at a central identity provider such as Microsoft has a direct impact on the external attack surface and supplier risk management.
External Attack Surface Management (EASM): Microsoft Entra ID is an externally accessible service whose sign-in portals are part of an organization’s digital infrastructure. An EASM platform such as LocateRisk identifies these and other exposed authentication endpoints (e.g., for VPNs or cloud services). Knowing which systems depend on Entra ID is essential for assessing the impact of this policy change on your organization’s security posture. At the same time, externally accessible Exchange servers, SharePoint instances, and AD FS servers must be identified and checked for vulnerability to CVE-2026-55008, CVE-2026-56164, CVE-2026-50661, CVE-2026-56155, and CVE-2026-55040. The active exploitation of several of these vulnerabilities makes continuous monitoring of the external attack surface particularly critical.
Vendor Risk Management (VRM): Microsoft is a critical supplier for most companies. A mandatory change to security policies is a significant event in cyber supply chain risk management. Continuous monitoring as part of VRM helps identify such changes among strategic partners and ensure an organization’s own compliance with standards such as NIS-2 or ISO 27001, which require active management of supplier risks. The Exchange, SharePoint, and AD FS vulnerabilities underscore the need to also monitor patch management processes for critical Microsoft products within the VRM context. The recent spate of critical zero-day vulnerabilities should serve as a prompt to update the risk assessment for Microsoft as a supplier and to document the dependency on Microsoft products within the supply chain.
Here's How LocateRisk Can Help You
The LocateRisk platform provides you with the necessary visibility into your external attack surface and the security posture of your suppliers. Identify all external systems that rely on Microsoft Entra ID for authentication, and assess the security performance of your critical technology partners. Detect exposed Exchange servers, SharePoint instances, and AD FS servers in your infrastructure to quickly locate and prioritize vulnerabilities such as CVE-2026-55008, CVE-2026-56164, CVE-2026-50661, CVE-2026-56155, and CVE-2026-55040.
Our „Made in Germany“ solution is hosted in certified German data centers—designed to meet GDPR requirements and with reduced risks associated with exposure to the U.S. Cloud Act.
All organizations and users who use Microsoft Entra ID in the public cloud. The exception is users who already use another phishing-resistant authentication method, such as Windows Hello for Business, FIDO2 security keys, or smart cards—according to Microsoft Learn, these users will not receive a new registration prompt.
Yes, the service will still be available, but no longer through Microsoft's native service. To use it, organizations must integrate a supported third-party telecommunications service provider via the Microsoft Security Store. Configuration will be possible starting October 30, 2026; Microsoft will publish information about available providers starting September 18, 2026.
Between September 1, 2026, and February 1, 2027, users can skip the prompt. After this deadline, the registration dialog will become mandatory. Affected users will then no longer be able to sign up without interacting with the prompt.
Check to see if you are running one of the affected versions: Exchange Server 2016 CU23, Exchange Server 2019 CU14 or CU15, or Exchange Server Subscription Edition RTM. Monitor the Microsoft Security Response Center for patch information and apply available updates immediately.
This update is critical and should be installed immediately. CVE-2026-56164 and CVE-2026-50661 are being actively exploited. Organizations with SharePoint servers running the affected versions (< 16.0.5561.1001 for 2016, < 16.0.10417.20175 for 2019, < 16.0.19725.20434 (for the Subscription Edition) should install the updates as a priority.
CVE-2026-55040 is a critical vulnerability (CVSS 9.1) that is actively being exploited and can bypass authentication through JWT token forgery. Organizations using AD FS must immediately install available patches, check their authentication logs for anomalies, and implement mitigating measures such as enhanced monitoring and network segmentation.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.