Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in CrowdStrike LogScale
CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("NetworkConnectIP4", "ProcessRollup2", "DnsRequest")
| $falcon.event.Severity = "High" OR $falcon.event.Severity = "Critical"
| event_platform = "Win"
| (
(
event_simpleName = "NetworkConnectIP4"
AND (RemotePort IN (80, 443, 808, 8080, 9000))
AND (DomainName = /(?i)(saml|wstrust|sts|adfs|shibboleth)/ OR RemoteAddressIP4 != null)
)
OR
(
event_simpleName = "ProcessRollup2"
AND (
ImageFileName = /(?i)(w3wp\.exe|dotnet\.exe|iisexpress\.exe)/
OR CommandLine = /(?i)(CoreWCF|System\.ServiceModel|SAML)/
)
)
OR
(
event_simpleName = "DnsRequest"
AND DomainName = /(?i)(saml|sts|adfs|wstrust)/
)
)
| groupby([aid, ComputerName, UserName, ImageFileName, RemotePort, DomainName], function=[count(aid, as=event_count), min(timestamp, as=first_seen), max(timestamp, as=last_seen)])
| where event_count > 1
| sort(event_count, order=desc)CrowdStrike Falcon LogScale (CQL) query hunting for CVE-2026-54782 exploitation by correlating network connections to SAML/WSTrust endpoints, CoreWCF .NET worker process launches, and DNS queries for identity provider domains from Windows hosts.
Data Sources
Required Tables
False Positives & Tuning
- Corporate SSO workflows making repeated SAML assertions to WCF-hosted enterprise applications
- CrowdStrike Spotlight or ExPRT.AI scanning hosts for CVE-2026-54782 patching status
- Automated service accounts authenticating to internal WCF APIs via federated identity
Other platforms for CVE-2026-54782
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint
Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted
- Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint
Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log
- Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC
Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault
Unlock Pro Content
Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.