CVE-2026-45642: Windows Azure Attestation Input Validation Flaw
CVE-2026-45642 affects Microsoft's Azure Attestation and Device Health Attestation services, which are used to verify the integrity and trustworthiness of devices and systems. The vulnerability stems from inadequate validation of user-supplied input, allowing an attacker who already has physical access and elevated privileges on a target system to spoof attestation results. This means an attacker could make a compromised or malicious device appear legitimate to systems that rely on attestation checks. The attack requires both physical proximity to the device and administrative-level access, significantly limiting real-world exposure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.9 LOW · CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is rooted in CWE-20 (Improper Input Validation) within the attestation services that validate device health and integrity claims. When attestation requests are processed, insufficient checks on input parameters allow an authorized, privileged user with physical access to craft malicious requests that bypass validation logic. By exploiting this gap, an attacker can submit false attestation claims that the service accepts as authentic, enabling device spoofing. The CVSS 3.1 score of 3.9 (LOW severity) reflects the attack vector requiring physical presence (AV:P), high privilege requirement (PR:H), low attack complexity (AC:L), and impact limited to integrity (I:H) without affecting confidentiality or availability.
Business impact
Organizations relying on device attestation for security posture validation—particularly in zero-trust architectures, conditional access policies, or hardware-based compliance checks—may face integrity risks. An insider or physically proximate attacker with administrative credentials could present a compromised device as healthy, potentially gaining unauthorized access to sensitive resources or bypassing security controls. However, the requirement for both physical access and high-privilege credentials substantially narrows the threat landscape to well-resourced or insider threat scenarios. The impact is most acute in environments where attestation serves as a primary gating mechanism for resource access.
Affected systems
The vulnerability affects Windows client and server systems: Windows 10 (versions 1607, 1809, 21H2, and 22H2), Windows 11 (versions 23H2, 24H2, 25H2, and 26H1), and Windows Server editions (2012, 2016, 2019, 2022, and 2025). All widely deployed Windows releases from Windows 10 1607 through Windows 11 26H1 and their corresponding server counterparts are in scope.
Exploitability
Real-world exploitability is constrained by multiple prerequisites. An attacker must possess physical access to the target device, have already obtained administrative or high-privilege credentials, and understand the attestation protocol implementation. These barriers are substantial—physical access alone eliminates remote exploitation, and the privilege requirement assumes prior system compromise or insider status. Public exploit code is not known to exist, and the vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. While the attack is feasible in controlled environments or for well-resourced adversaries, opportunistic exploitation in the wild is unlikely.
Remediation
Microsoft has issued security updates to address improper input validation in the attestation services. Organizations should apply these updates to all affected Windows 10 and Windows 11 clients, as well as Windows Server systems. Patching should be prioritized for systems in zero-trust or hardware-attestation-dependent environments. As an interim control, restrict administrative access to trusted personnel, enforce physical security controls around critical devices, and monitor attestation service logs for anomalous requests or validation bypass attempts.
Patch guidance
Check Microsoft's security update guidance for the specific Windows versions deployed in your environment. Updates are expected across all affected versions listed in the affected systems summary. Verify the patch version numbers against Microsoft's official security advisory before deployment. Test patches in a non-production environment first, as attestation services may be relied upon by dependent systems. Organizations on extended support lifecycles (e.g., Windows 10 1607) should coordinate with Microsoft to ensure patch availability and applicability.
Detection guidance
Monitor Windows event logs for failed or unusual attestation validation events, particularly in the Windows Defender Health Attestation service logs. Establish baselines for normal attestation request patterns and alert on deviations such as repeated failed validations followed by success, or requests from unexpected privilege levels. Endpoint Detection and Response (EDR) tools should flag attempts to modify attestation service configurations or call APIs with malformed input. In cloud environments using Azure, enable diagnostic logging for the Azure Attestation service and review audit trails for unexpected attestation token generation or validation bypass patterns.
Why prioritize this
Although the CVSS score is LOW (3.9), this vulnerability should not be dismissed. The integrity impact is HIGH—successful exploitation directly undermines device trust assurance—and the affected product scope is broad (all mainstream Windows versions and servers). While exploitation requires formidable barriers (physical access + high privilege), the consequence of successful spoofing in zero-trust deployments could be significant. Prioritize patching for systems that are critical attestation nodes or in security-sensitive environments, then roll out to the broader estate as resources permit.
Risk score, explained
The CVSS 3.1 score of 3.9 reflects the LOW severity rating primarily due to the physical attack vector requirement (AV:P) and high privilege prerequisite (PR:H), which severely constrain the attacker pool. However, the HIGH integrity impact (I:H) and the breadth of affected systems indicate that organizations depending on attestation as a security boundary should treat this with appropriate attention. The score appropriately captures that widespread, low-skill exploitation is unlikely, but targeted attacks against high-value targets with physical access and privileged credentials remain feasible.
Frequently asked questions
Does this vulnerability allow remote code execution or system takeover?
No. The vulnerability is limited to spoofing attestation results—making a device appear healthy or trustworthy when it may not be. It does not grant code execution, lateral movement, or direct access to other systems. However, a spoofed attestation claim could be used to bypass conditional access controls or zero-trust policies that trust the device's reported state, potentially leading to downstream compromise.
Can an attacker without physical access exploit this?
No. The CVSS vector explicitly requires physical access (AV:P). An attacker must be present at the device or have tampered with it in person. Remote attacks are not possible via this vulnerability alone.
Do I need to patch systems that don't use Azure Attestation or Device Health Attestation?
If your organization does not actively use these services or does not rely on device attestation for access control decisions, the immediate risk is lower. However, Microsoft may have integrated these services into Windows updates, so patching is still recommended as a general security hygiene practice and to reduce the attack surface.
Is there a workaround if I cannot patch immediately?
Mitigations include restricting administrative access to trusted users, implementing strong physical security controls around devices, disabling Device Health Attestation if it is not in use, and monitoring attestation service logs for suspicious activity. These controls reduce but do not eliminate the risk; patching should be scheduled as soon as feasible.
This analysis is based on publicly available information as of the publication date. CVSS scores, affected product lists, and patch guidance are derived from official sources; verify version numbers and availability against Microsoft's security advisories before deploying patches. This vulnerability requires physical access and elevated privileges—while a real security concern, it does not represent an immediate remote threat to most organizations. No exploit code or weaponized proof-of-concept is discussed or endorsed. Organizations should conduct their own risk assessment based on their specific use of attestation services and threat model. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11240LOWChrome Site Isolation Bypass – Low-Severity Input Validation Flaw
- CVE-2026-11244LOWChrome WebAuthentication Input Validation Bypass
- CVE-2026-11251LOWChrome Password Manager Policy Enforcement Flaw
- CVE-2026-11675LOWChrome Skia Out-of-Bounds Read Leading to Cross-Origin Data Leak
- CVE-2026-11691LOWChrome New Tab Page Cross-Origin Data Leak – Patch Now
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution