CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication

Cybersecurity News Archived Jun 02, 2026 ✓ Full text saved

A critical authentication flaw in StrongDM’s desktop application has been identified that allows attackers to hijack user sessions by reusing locally stored authentication material, potentially exposing sensitive enterprise infrastructure. The issue, tracked as CVE-2026-4387, was discovered by SpecterOps during a security assessment and has been fixed in StrongDM Desktop version 23.74.0 and CLI version 53.77.0. […] The post Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Auth

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication By Abinaya June 2, 2026 A critical authentication flaw in StrongDM’s desktop application has been identified that allows attackers to hijack user sessions by reusing locally stored authentication material, potentially exposing sensitive enterprise infrastructure. The issue, tracked as CVE-2026-4387, was discovered by SpecterOps during a security assessment and has been fixed in StrongDM Desktop version 23.74.0 and CLI version 53.77.0. The vulnerability originates from how StrongDM stored session data on disk. After a successful login, the application saved authentication material in a file located at C:\Users<username>.sdm\state.kv. This file contained a JSON Web Token (JWT) along with a public and private key pair, all stored in plaintext. Critical StrongDM Vulnerability Since the file only required user-level permissions to access, an attacker with system-level access could extract it without elevated privileges. SpecterOps demonstrated that this state file could be reused to impersonate a legitimate user. Decoded JWT(source : specterops ) Attackers could copy a KV state file from a compromised system to another machine, allowing the StrongDM client to automatically authenticate as the victim and access infrastructure resources without credentials. The attack worked reliably even across external hosts by replacing the file after application launch, bypassing startup-file protections and exposing additional weaknesses in the authentication flow. A local endpoint at http://127.0.0.1:65220/v2/authentication exposed JWT tokens when queried with minimal headers, and cached files such as data_1 also stored sensitive authentication data. StrongDM Resource Connection (source : specterops ) The lack of binding between session tokens and the host environment enabled the reuse of authentication material across different systems. The impact of this vulnerability is significant, as it enables full session hijacking without requiring credentials. Attackers could access databases, servers, and cloud resources managed through StrongDM and potentially move laterally within enterprise environments. The fact that only user-level permissions are required lowers the barrier for exploitation, especially in post-compromise scenarios. StrongDM remediated the issue by removing plaintext storage of sensitive authentication data. The updated versions now use platform-native secure storage mechanisms such as DPAPI on Windows and Keychain on macOS. State.kv File Reuse Verification (source : specterops ) Additionally, JWTs are no longer stored in the state.KV file, preventing reuse across systems. Security validation confirmed that transferring session files between hosts no longer results in authenticated access. The vulnerability was initially reported in May 2025, with a fix implemented in March 2026. According to SpecterOps, CVE-2026-4387 was publicly disclosed on May 29, 2026, followed by a broader disclosure on June 1, 2026. Users are strongly advised to update to the latest versions to mitigate any potential risk. This incident highlights the dangers of insecure local credential storage. It emphasizes the importance of protecting authentication tokens through secure storage and proper session binding to prevent reuse attacks. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts Microsoft Office for the Web and Teams Hit by File Access Outage Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks Microsoft Investigates MFA Setup Failure and MySigns-In Portal Outage Latest News Cyber Security News Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2 Cyber Security News Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account Cyber Security Hackers Use Meta’s AI Bot to Reset Passwords and Hijack Instagram Accounts Cyber Security News IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request Cyber Security News Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗