🔑 IAM

Pwn2Own Week Exposes the Limits of Identity as a Security Control — What IAM Teams Should Review

The week of 12–18 May 2026 produced two distinct scenarios where identity controls — Conditional Access, MFA, and Zero Trust enforcement — provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.

4 min read
#identity#conditional-access#mfa#zero-trust#exchange#session-hijacking#authentication#entra-id

Two Exchange vulnerabilities dominated the security news cycle from 12–18 May 2026. Both are serious, both target Exchange, and yet they require different defensive responses that highlight a nuanced challenge for identity and access management teams: the boundary between “identity controls help” and “identity controls are irrelevant” is not always obvious from incident descriptions.

Understanding where that boundary sits is essential for accurate risk communication and for ensuring that IAM investment is complemented by the right additional controls.

Scenario 1: CVE-2026-42897 — Identity Controls Matter

CVE-2026-42897 is an OWA XSS that enables session hijacking. An attacker sends a crafted email; the target opens it in OWA; the session token is stolen; the attacker reuses the token to access the mailbox from a different location.

For this attack vector, identity controls are directly relevant:

Conditional Access with sign-in risk: Microsoft Entra ID evaluates sign-in risk during authentication and at token refresh points. If the stolen session token is used from a new IP address, new geographic location, or unfamiliar device, risk-based Conditional Access can force re-authentication — breaking the stolen session before the attacker can enumerate the mailbox.

Continuous Access Evaluation (CAE): CAE enables real-time session revocation rather than waiting for token expiry. If session anomalies are detected, CAE can terminate the session and force re-authentication. Organisations with CAE enabled for Exchange Online have meaningfully reduced the window in which a stolen OWA session remains valid.

Anomaly-based conditional access policies: Configuring MFA or block policies for sign-ins from countries where the affected users have no legitimate business is a standard conditional access control that would catch many session-hijacking scenarios involving offshored attacker infrastructure.

Limitation: These controls apply at token refresh boundaries. If the attacker’s activity within the stolen session window is rapid — bulk email export before CAE triggers — identity controls reduce the damage window but do not eliminate it entirely. Network and endpoint monitoring to detect rapid mailbox access remains necessary.

Scenario 2: DEVCORE Exchange SYSTEM RCE — Identity Controls Are Irrelevant

The Exchange SYSTEM RCE chain demonstrated at Pwn2Own achieves code execution on the Exchange Server operating system before any authentication event occurs. There is no user credential to evaluate, no conditional access policy to apply, no MFA challenge to trigger. The attack traverses the vulnerability in the application code, not the authentication layer.

For this attack, the relevant defensive layers are:

Network access restriction: Limiting which IP ranges can reach the Exchange Server on port 443 restricts the population of attackers who can attempt exploitation. While Conditional Access evaluates authenticated sessions, a network-layer firewall rule evaluates connection attempts before any application-layer processing occurs.

Web Application Firewall: A WAF inspecting Exchange requests can detect anomalous request patterns — the type of malformed or unexpected requests that multi-stage exploit chains often require during exploitation attempts. Exchange-specific WAF rules from major vendors have signatures tuned for known Exchange attack patterns.

Patch velocity: The only control that addresses the underlying vulnerability is the patch. Network controls and WAFs reduce the exploitation window and increase attacker cost, but they are not substitutes for patching.

Endpoint Detection on the Exchange Server: Server-side exploitation leaves artefacts at the process, file system, and network level on the Exchange Server itself. AV/EDR running on the Exchange Server with rules for the known post-exploitation behaviours (ASPX webshell creation, PowerShell spawned from IIS worker, unusual outbound connections from the Exchange process) is the most reliable detection layer for server-side exploitation.

The Combined Lesson for IAM Teams

IAM teams are sometimes positioned as the primary defence against Exchange compromise because “if MFA is enforced, attackers can’t access Exchange without valid credentials.” This framing is correct for credential-based attacks and partially correct for session-based attacks like CVE-2026-42897. It is not correct for server-side RCE.

The operational implication is that IAM investment needs a complementary set of controls:

  • For credential attacks: MFA, phishing-resistant authentication (FIDO2), Conditional Access ✓
  • For session attacks: Risk-based CA, CAE, OWA session monitoring ✓
  • For server-side RCE: Patch velocity, network access restriction, WAF, server EDR ← IAM does not contribute here

Communicating this clearly to security leadership prevents the common error of treating MFA deployment as an Exchange security programme, when it actually addresses one layer of a multi-layer threat model.

The week of 12–18 May 2026 provides a concrete set of examples for precisely this distinction.

Share this article