CVE-2026-54782 IBM QRadar · QRadar

Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in IBM QRadar

CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source,
  "URL" AS request_url,
  magnitude,
  UTF8(payload) AS raw_event
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Microsoft Windows Security Event Log', 'Microsoft .NET')
  AND (
    LOWER(UTF8(payload)) LIKE '%corewcf%'
    OR LOWER(UTF8(payload)) LIKE '%saml%'
    OR LOWER(UTF8(payload)) LIKE '%wstrust%'
    OR LOWER(UTF8(payload)) LIKE '%assertion%'
  )
  AND (
    LOWER(UTF8(payload)) LIKE '%signature%invalid%'
    OR LOWER(UTF8(payload)) LIKE '%bypass%auth%'
    OR LOWER(UTF8(payload)) LIKE '%unsigned%token%'
    OR LOWER(UTF8(payload)) LIKE '%securitytokenvalidation%'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query correlating IIS, Windows Security, and .NET log sources for CoreWCF SAML signature validation anomalies indicative of CVE-2026-54782 exploitation attempts.

Data Sources

Microsoft IIS DSMWindows Security Event Log DSMMicrosoft .NET DSM

Required Tables

events

False Positives & Tuning

  • SAML federation configuration changes causing transient validation exceptions
  • Security scanning tools actively probing WCF endpoints
  • Misconfigured identity providers sending malformed assertions during initial SSO setup

Other platforms for CVE-2026-54782

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint

    Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted

  2. Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint

    Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log

  3. Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC

    Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1606.002SAML TokensT1550Use Alternate Authentication MaterialT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections