CVE-2026-54782 Sumo Logic CSE · Sumo

Detect CoreWCF SAML Token Signature Validation Authentication Bypass (CVE-2026-54782) in Sumo Logic CSE

CVE-2026-54782 is a critical (CVSS 10.0) authentication bypass vulnerability in CoreWCF.Primitives affecting SAML 1.1 and 2.0 token signature validation. An unauthenticated attacker can craft a SAML assertion with an invalid or missing signature that CoreWCF accepts as valid, bypassing all authentication controls on WCF service endpoints. Affects CoreWCF.Primitives < 1.8.1 and >= 1.9.0, < 1.9.1. A public PoC exists.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*iis* OR _sourceCategory=*dotnet*
| where _raw matches /(?i)(CoreWCF|System\.ServiceModel|SAML|WSTrust|assertion)/
| parse regex field=_raw "(?i)(?<event_type>signature.*?invalid|unsigned.*?assertion|bypass.*?auth|SecurityTokenValidationException|anonymous.*?access)" nodrop
| where !isEmpty(event_type)
| parse regex field=_raw "(?i)(?:src[= ]+|source[= ]+|client[= ]+)(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex field=_raw "(?i)(?:user[= ]+|username[= ]+)(?<username>[\w@\.\-]+)" nodrop
| timeslice 5m
| count by _timeslice, src_ip, username, event_type
| sort by _count desc
critical severity medium confidence

Sumo Logic query searching Windows, IIS, and .NET application logs for CoreWCF SAML signature bypass indicators, parsed into structured fields for correlation and alerting.

Data Sources

Windows Event LogsIIS Access Logs.NET Application Logs

Required Tables

_sourceCategory=*windows*_sourceCategory=*iis*_sourceCategory=*dotnet*

False Positives & Tuning

  • Legitimate SAML SLO (Single Logout) flows generating token parsing warnings
  • Clock skew between IdP and SP causing SAML assertion timestamp validation failures
  • Vendor security assessments targeting WCF service endpoints

Other platforms for CVE-2026-54782

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Send Unsigned SAML 2.0 Assertion to CoreWCF Endpoint

    Expected signal: IIS logs show POST /Service with HTTP 200 response; Windows Application Event Log shows no SecurityTokenValidationException; network capture shows SAML assertion without Signature element accepted

  2. Test 2Send Stripped Signature SAML 1.1 Token to CoreWCF wsHttpBinding Endpoint

    Expected signal: Network capture shows WS-Security SOAP header with SAML 1.1 assertion lacking Signature; IIS or Kestrel logs show HTTP 200; no authentication failure event in Windows Security log

  3. Test 3Deploy Vulnerable CoreWCF Version and Validate Authentication Bypass via PoC

    Expected signal: dotnet process spawned on port 5050; curl returns echo response without authentication challenge on 1.8.0; after patching to 1.8.1 the same request returns 401 or SOAP fault

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-54782 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1606.002SAML TokensT1550Use Alternate Authentication MaterialT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections