CVE-2026-1568 is a critical security vulnerability identified in Rapid7 InsightVM's Vulnerability Management product, specifically affecting versions before 8.34.0. The vulnerability stems from improper verification of cryptographic signatures (CWE-347) on the Assertion Consumer Service (ACS) cloud endpoint. The ACS endpoint is responsible for processing SAML assertions used in federated authentication workflows. Due to this flaw, InsightVM processes unsigned or improperly signed assertions without validating their authenticity, allowing attackers to forge assertions. When such forged assertions are accepted, the application issues session cookies granting authenticated access to the targeted InsightVM user accounts configured via Security Console installations. This results in a full account takeover, compromising confidentiality and integrity of the affected accounts. The vulnerability requires network access and low privileges (PR:L) but does not require user interaction (UI:N), making exploitation feasible in targeted attacks. The CVSS v3.1 base score is 9.6, reflecting the critical nature of the flaw with network attack vector, low attack complexity, and high impact on confidentiality and integrity. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make this a high-risk vulnerability. Rapid7 has fixed this issue in InsightVM version 8.34.0 by enforcing proper signature verification on the ACS endpoint, preventing acceptance of unsigned assertions and unauthorized session issuance.

For European organizations, this vulnerability poses a significant risk to the security of their vulnerability management infrastructure. InsightVM is widely used across Europe for asset discovery, vulnerability assessment, and risk management. An attacker exploiting this flaw could gain unauthorized access to InsightVM accounts, potentially exposing sensitive vulnerability data, security configurations, and network topology information. This could facilitate further lateral movement, targeted attacks, or disruption of security operations. Organizations relying on Security Console installations are particularly vulnerable. The compromise of InsightVM accounts undermines trust in vulnerability management processes and could delay or prevent timely remediation of other security issues. Given the criticality and potential for full account takeover without user interaction, the impact on confidentiality and integrity is severe. Additionally, regulatory compliance frameworks in Europe, such as GDPR, may impose penalties if sensitive data is exposed due to this vulnerability.

European organizations using Rapid7 InsightVM should immediately upgrade to version 8.34.0 or later to remediate this vulnerability. Until patching is complete, organizations should restrict network access to the ACS cloud endpoint to trusted IP addresses and monitor authentication logs for suspicious assertion processing or unexpected session creations. Implementing multi-factor authentication (MFA) on InsightVM accounts can reduce the risk of account takeover even if session cookies are compromised. Security teams should audit existing user sessions and revoke any suspicious or stale sessions. Additionally, organizations should review their Security Console configurations to ensure minimal exposure and apply network segmentation to isolate vulnerability management infrastructure. Regularly updating and validating SAML configurations and certificates can help prevent similar issues. Finally, integrating InsightVM logs with centralized SIEM solutions can enhance detection of anomalous authentication activities related to this vulnerability.