{"id":58489,"date":"2025-04-15T00:00:00","date_gmt":"2025-04-15T00:00:00","guid":{"rendered":"urn:uuid:b9fcbbdb-39d3-9cad-5e2a-b27c04786f95"},"modified":"2025-04-15T00:00:00","modified_gmt":"2025-04-15T00:00:00","slug":"zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/","title":{"rendered":"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pc-manager-thumbjpg:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/pc-manager-thumbjpg.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Microsoft has provided the following comments for researchers who wish to conduct similar research in the future:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Using tokens or credentials to access data that is not your own is a violation of <a href=\"https:\/\/www.microsoft.com\/en-us\/msrc\/bounty-microsoft-azure\">Microsoft Azure Bounty Rules of Engagement<\/a>.\u202f<\/span><\/li>\n<li>&nbsp;<\/li>\n<li><span class=\"rte-red-bullet\">\u202fFuture researchers may simply report a suspected overly-permissive SAS token to the bounty program without using the Azure Storage Explorer tool to verify the validity of the token. The Microsoft Security Response Center will perform necessary investigations to determine the impact and scope of the reported token on behalf of the submitter.<\/span><\/li>\n<\/ul>\n<p>Unlike the WinGet manifest <i>InstallerUrl <\/i>hijack, this technique presents a more impactful method for conducting a supply chain attack by modifying the PC Manager releases from the official website <i>pcmanager.microsoft.com<\/i>.\u202f\u202f<\/p>\n<p>This is compounded by the fact that in certain releases of PC Manager, auto updates are enabled by default. Therefore, an attacker\u2019s malicious executable could potentially masquerade as an executable that would be propagated to every single installation of PC Manager, given its default configuration is unchanged.&nbsp;<\/p>\n<p>However, it is important to note that the MSI installers would not be digitally signed as there were no certificates found in the storage account. Nevertheless, attackers could still abuse implicit trust by using ZIP files containing attacker-controlled malicious scripts, binaries signed with leaked certificates, and so on.&nbsp;<\/p>\n<p>This issue was reported to Microsoft as <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-23-1528\/\">ZDI-23-1528<\/a>.\u202f<\/p>\n<p><span class=\"body-subhead-title\">Resolution<\/span><\/p>\n<p>After we reported our findings to Microsoft, they initially changed the overly permissive SAS token with a read-only SAS token. Later, the links were replaced with the Microsoft App Store URL, thus preventing the direct download of the binary. As for the WinGet manifests, Microsoft removed the SAS token in the <a href=\"https:\/\/github.com\/microsoft\/winget-pkgs\/pull\/123656\/files\">following<\/a> GitHub <a href=\"https:\/\/github.com\/microsoft\/winget-pkgs\/pull\/123653\/files\">pull requests<\/a>.\u202f<\/p>\n<p><span class=\"body-subhead-title\">Challenges\u202f<\/span><\/p>\n<p>The creation of a SAS token happens on the client\u2019s end, where there are no Azure logs generated, and so account and service SAS tokens are generated from a shared access key. Hence, if a Storage Account\u2019s access key is leaked, an attacker can create numerous overly permissive SAS tokens and use them to maintain persistent access to the publicly reachable storage account. To invalidate a SAS token, the user must either use <a href=\"https:\/\/learn.microsoft.com\/en-us\/rest\/api\/storageservices\/define-stored-access-policy\">Stored Access Policies<\/a> or <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/storage\/common\/storage-account-keys-manage?tabs=azure-portal#manually-rotate-access-keys\">rotate<\/a> the Storage Account\u2019s access key. However, rotating the Storage Account\u2019s Access Key invalidates all the SAS tokens ever generated.\u202f<\/p>\n<p><span class=\"body-subhead-title\">Detection opportunities\u202f<\/span><\/p>\n<p>To detect the use of SAS tokens for storage accounts, users can enable <a href=\"https:\/\/learn.microsoft.com\/en-us\/rest\/api\/storageservices\/storage-analytics-logged-operations-and-status-messages\">Azure Storage Analytics logs<\/a>. However, depending on usage, this can come at a significant additional cost. Users cannot infer the SAS token as-is since the sig signature field from the SAS token is not logged. However, users can <a href=\"https:\/\/docs.azure.cn\/en-us\/storage\/blobs\/blob-storage-monitoring-scenarios#identifying-the-sas-token-used-to-authorize-a-request\">leverage<\/a> AuthenticationHash to find which SAS token is being used. The logs could also be <a href=\"https:\/\/learn.microsoft.com\/en-us\/rest\/api\/storageservices\/storage-analytics-log-format#log-entry-fields-for-version-10\">leveraged<\/a> to gather the following information when a storage account is accessed using a SAS token. Note that these detection ideas can help defenders get started to build queries for their environments and tooling:\u202f<\/p>\n<ol>\n<li>Data Exfiltration.&nbsp;<span>To detect when abnormally large amounts of data being exfiltrated to a known malicious or suspicious IP address, <i>response-packet-size<\/i> can be leveraged.<\/span><\/li>\n<li>Overly Permissive SAS Token.&nbsp;<span>To check whether a Storage Account is being requested by an overly permissive SAS token, <i>request-url<\/i> contains the <i>sp <\/i>parameter (SAS permission).<\/span><\/li>\n<li>Anonymous Access. <span>To determine whether the Storage Account is accessible anonymously, <i>authentication-type<\/i> can be leveraged.\u202f<\/span><\/li>\n<li>File Name Heuristics.&nbsp;<span>To determine whether sensitive files are being accessed from a known-bad IP address, <i>requested-object-key <\/i>contains the name of the file being requested. Based on patterns such as <i>.env<\/i>, <i>password<\/i>, <i>config<\/i>, <i>secret<\/i>, and <i>auth<\/i>, among others, heuristic detections can be built.\u202f<\/span><\/li>\n<li>Malicious IP. <span>To determine whether known malicious IP addresses are accessing the Storage Account successfully, <i>requester-ip-address<\/i> can be leveraged.<\/span><\/li>\n<li>Anonymous or SAS token requests. <span>To determine if there are anonymous or SAS token requests, <i>requester-account-name ==<\/i> &#8221; and <i>request-status == success<\/i> can be leveraged.<\/span><\/li>\n<li>Suspicious User Agents. <span>To detect suspicious user agents, <i>user-agent-header<\/i> values in a list of known suspicious user agents. Although user-agents can be morphed by the user, this can still help to reduce noise from internal environments.\u202f\u202f<\/span><\/li>\n<\/ol>\n<p>To hunt for overly-permissive SAS tokens in codebases, the logic listed below can be used.<\/p>\n<p>For service SAS tokens,&nbsp;only check the URL parameters for detecting SAS tokens, as the host could be different. Of the URL parameters <i>sv<\/i>, <i>se<\/i>, <i>sr<\/i>, <i>sp<\/i>, <i>sig<\/i>, the important parameters to look out for are:\u202f<\/p>\n<p><b>Check value:\u202f<\/b><\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">sp (permissions of the SAS token) \u2013 the value of sp parameter starts with rw\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">se (expiry of the SAS token) \u2013 the value of se parameter is sometime later than the current time\u202f<\/span><\/li>\n<\/ul>\n<p><span class=\"rte-red-bullet\"><b>Check existence:<\/b><\/span><\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">sig (HMAC-256 encoded signature)\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">sv (version of the SAS)\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">sr (resources the SAS token delegates access to)\u202f<\/span><\/li>\n<\/ul>\n<p>For account SAS tokens, of the URL parameters <i>sv<\/i>, <i>ss<\/i>, <i>srt<\/i>, <i>sp<\/i>, <i>se<\/i>, <i>st<\/i>, <i>spr<\/i>, and <i>sig<\/i>, the important parameters to look out for are:\u202f\u202f<\/p>\n<p><span class=\"rte-red-bullet\"><b>Check value:\u202f<\/b><\/span><\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">sp (permissions of the SAS token) &#8211; the value of sp parameter starts with rw\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">se (expiry of the SAS token) \u2013 the value of se parameter is sometime later than the current time\u202f<\/span><\/li>\n<\/ul>\n<p><span class=\"rte-red-bullet\"><b>Check existence:\u202f<\/b><\/span><\/p>\n<ul>\n<li><span class=\"rte-circle-bullet\">sv (storage version used to request authorization)\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">ss (services accessible using the SAS)\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">srt (signed resource types that are accessible using the SAS)\u202f<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">sig (HMAC-256 encoded signature)<\/span><\/li>\n<li>&nbsp;<\/li>\n<\/ul>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/d\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permi.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In ZDI-23-1527 and ZDI-23-1528 we uncover two possible scenarios where attackers could have compromised the Microsoft PC Manager supply chain. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":58490,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,11125,9509],"class_list":["post-58489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-risk","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-15T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pc-manager-thumbjpg:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains\",\"datePublished\":\"2025-04-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/\"},\"wordCount\":895,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Risk\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/\",\"name\":\"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg\",\"datePublished\":\"2025-04-15T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/","og_locale":"en_US","og_type":"article","og_title":"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-04-15T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pc-manager-thumbjpg:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains","datePublished":"2025-04-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/"},"wordCount":895,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Risk","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/","url":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/","name":"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg","datePublished":"2025-04-15T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains.jpg","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permissive-sas-tokens-on-pc-manager-supply-chains\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"ZDI-23-1527 and ZDI-23-1528: The Potential Impact of Overly Permissive SAS Tokens on PC Manager Supply Chains"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58489"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58489\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/58490"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}