Severity by source
AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionNVD
Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack.
AnalysisAI
Spoofing via improper input validation affects Microsoft Azure Attestation service and the Device Health Attestation Service component across a broad range of Windows OS versions, from Windows Server 2012 through Windows Server 2025 and Windows 10/11. An authorized attacker with high privileges and physical access to the target device can manipulate attestation inputs to spoof device health or platform integrity status, achieving a high-integrity impact with no confidentiality or availability consequence. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.9 (Low) reflects the significant physical and privilege barriers to exploitation.
Technical ContextAI
The Device Health Attestation (DHA) Service and Azure Attestation service rely on CWE-20 (Improper Input Validation) as the root cause - the attestation pipeline fails to adequately validate input data supplied during a physical interaction, allowing crafted or manipulated measurements to be accepted as legitimate. Attestation services are designed to cryptographically verify the integrity of a device's boot chain and platform state (e.g., TPM measurements, Secure Boot status) to produce a trusted health claim. When input validation is insufficient, an attacker with physical access and high system privileges could submit falsified measurement data to the attestation pipeline, causing the service to produce a fraudulent but signed attestation report. The affected surface spans Windows OS implementations of the DHA Service across multiple generations, as evidenced by the EUVD-confirmed CPE ranges covering Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through 2025.
RemediationAI
Vendor-released patches are available for all affected Windows versions via the Microsoft Security Response Center. Administrators should apply the cumulative updates that bring affected builds to or above the fixed versions listed in EUVD-2026-35689: Windows Server 2025 to 10.0.26100.32995 or later, Windows Server 2022 to 10.0.20348.5256 or later, Windows Server 2019 to 10.0.17763.8880 or later, Windows Server 2016 to 10.0.14393.9234 or later, Windows 11 to the respective patched builds per channel, and Windows 10 to 10.0.19044.7417 / 10.0.19045.7417 or later depending on version. The full advisory and update packages are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45642. As a compensating control prior to patching, organizations relying on device attestation for conditional access or compliance should enforce physical security controls (locked server rooms, USB port restrictions, chassis intrusion detection) to eliminate the physical access prerequisite. Restricting high-privilege account usage on attestation-sensitive systems also reduces exposure. Note that physical security controls carry operational overhead and do not address the underlying software defect.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35689
GHSA-6xx7-8vwc-676h