← All stories
● Covered by 1 source Β· 1 reportHigh impact

Mandiant Identifies Vulnerability in ADFS Certificate Management

Aggregated by BrevFeed security Β· updated 2h ago
πŸ”– Save

Mandiant discovered that improper manual rotation of ADFS certificates can expose active signing keys in Machine DPAPI. This vulnerability allows attackers to forge SAML tokens and bypass authentication mechanisms, posing significant risks to enterprise security.

Key points

Introduction to Ghost Certificates

Mandiant's research on the 'Golden SAML' technique has highlighted significant vulnerabilities in Microsoft identity management.

The discovery during a recent red team engagement showed that certain configurations lead to active ADFS signing keys being left exposed.

Mechanism of the Vulnerability

When AutoCertificateRollover is disabled, and certificates are rotated manually, old certificates can still exist in Machine DPAPI, creating a 'ghost' record.

This configuration is prevalent in enterprise environments, allowing adversaries to exploit it without triggering alarms.

Impact of the Exploit

By accessing the exposed signing keys, attackers can authenticate as any user to SAML-federated applications, bypassing MFA and identity controls.

The low visibility of this attack method due to its avoidance of direct interactions with monitored components enhances its threat level.

Recommendations for Mitigation

Organizations should ensure that AutoCertificateRollover is enabled and conduct regular audits of their ADFS configurations.

Mandiant provides a detailed blueprint for defending against exploitation of this vulnerability, urging awareness and proactive measures.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

CVE CVE-2026-202457.8 HIGH

Reporting from

Mandiant discovered that improper manual rotation of ADFS certificates can expose active signing keys in Machine DPAPI. This vulnerability allows attackers to forge SAML tokens and bypass authentication mechanisms, posing significant risks to enterprise security.