Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in Microsoft Sentinel
CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.
MITRE ATT&CK
KQL Detection Query
union DeviceNetworkEvents, DeviceProcessEvents, AuditLogs
| where TimeGenerated > ago(24h)
| where (
(ActionType == "ConnectionSuccess" and RemotePort in (80, 443, 808, 9000))
or (OperationName has "WCF" and ResultDescription has_any ("SAML", "token", "assertion"))
or (ProcessCommandLine has_any ("CoreWCF", "System.ServiceModel"))
)
| extend SamlIndicator = iff(
OperationName has "SAML" or InitiatedBy has "SAML" or AdditionalDetails has "assertion",
true, false
)
| where SamlIndicator == true
or (ActionType == "ConnectionSuccess" and isnotempty(RemoteUrl) and RemoteUrl matches regex @"(?i)(saml|wstrust|sts|adfs)")
| extend RiskScore = case(
SamlIndicator == true and ResultDescription has "bypass", 100,
SamlIndicator == true and ResultDescription has_any ("unauthenticated", "anonymous"), 90,
SamlIndicator == true, 70,
50
)
| project TimeGenerated, DeviceName, AccountName, ActionType, OperationName, ResultDescription, RemoteUrl, RiskScore, AdditionalDetails
| sort by RiskScore desc, TimeGenerated descDetects potential exploitation of CVE-2026-54782 by correlating WCF/SAML-related network connections, process activity, and Azure AD audit events indicating SAML assertion usage on CoreWCF endpoints. High-fidelity when paired with application logs exposing SAML token processing errors.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SAML-based authentication flows against WCF services in enterprise SSO environments
- Penetration testing or red team exercises against .NET WCF endpoints
- Security scanners (Qualys, Nessus, Tenable) probing SAML endpoints during scheduled assessments
Other platforms for CVE-2026-54782
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint
Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted
- Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint
Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log
- Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC
Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault
Unlock Pro Content
Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.