CVE-2021-22506

What is Micro Focus Access Manager?

Micro Focus Access Manager (formerly NetIQ Access Manager) is an enterprise identity and access management platform providing Single Sign-On (SSO), federated identity, SAML-based authentication, and web access management for large organizations. It acts as a SAML Identity Provider (IdP) and/or Service Provider (SP), brokering authentication between users and enterprise applications. Because Access Manager processes authentication tokens and SAML assertions that control access to all enterprise applications, vulnerabilities in its SAML handling can allow attackers to capture authentication tokens, forge identities, or access protected resources without valid credentials. Authentication infrastructure is a particularly high-value target because compromise enables access to any application that trusts the compromised identity provider.

Overview

CVE-2021-22506 is an information leakage vulnerability in Micro Focus Access Manager resulting from a flaw in how the SAML Service Provider handles the Assertion Consumer Service (ACS) URL. During SAML authentication flows, the ACS URL specifies where the identity provider should send the SAML response (which contains the authentication token). A misconfiguration or vulnerability in ACS URL validation allows an attacker to manipulate the redirect destination, causing the Access Manager to send the SAML authentication response — including authentication tokens — to an attacker-controlled server. This enables unauthorized access to any application protected by Access Manager. Micro Focus patched this and CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Insufficient validation of the SAML Assertion Consumer Service (ACS) URL — when a SAML authentication request specifies an ACS URL, Access Manager should validate that the URL matches a registered and trusted endpoint for the requesting service provider; if this validation is absent or bypassable, an attacker can supply an attacker-controlled ACS URL, causing the authentication flow to redirect the SAML response (with authentication token) to the attacker's server
• Token theft: The SAML response sent to the attacker's ACS URL contains a signed SAML assertion that can be replayed against the target application to authenticate as the victim user — without ever needing the victim's credentials
• Unauthenticated exploitation: CVSS PR:N/UI:N — the attack can be performed by any unauthenticated network-accessible actor; it targets the authentication flow of any user authenticating through the vulnerable Access Manager instance
• Enterprise impact: Access Manager protects access to enterprise applications across the organization; successfully stealing a SAML assertion for a privileged user (administrator, HR manager, finance user) provides unauthorized access to those applications and their data
• SAML relay/redirect vulnerability class: This is part of a broader class of SAML implementation vulnerabilities where improper validation of redirect URLs or assertion binding leads to token theft or authentication bypass

Discovery

Reported to Micro Focus and patched in a security update released in March 2021. The November 2021 CISA KEV addition confirms that exploitation of vulnerable Access Manager instances occurred before or after the patch was available — reflecting that SSO/identity platform vulnerabilities are actively targeted for credential and token theft.

Exploitation Context

Identity and access management platforms are premium targets in enterprise attacks because compromising the authentication broker provides access to all applications that trust it. CVE-2021-22506's SAML token theft allows attackers to silently authenticate as any user — including administrators — without triggering password-based alerts or requiring credential theft. This is particularly useful for espionage operations (silent access to corporate applications) and as a stealthy initial access mechanism. The CISA KEV addition reflects that enterprise SSO vulnerabilities are actively exploited and represent a high-risk category.

Remediation

1. Apply the Micro Focus Access Manager patch for CVE-2021-22506 — check the Micro Focus support portal for the specific patch applicable to your version
2. Validate ACS URL registrations: audit all registered Service Provider configurations in Access Manager and ensure ACS URLs are explicitly allowed-listed to known, trusted endpoints
3. Enable strict ACS URL validation if available as a configuration option in your Access Manager version
4. Review SAML authentication logs for anomalous ACS URL patterns — legitimate traffic should only use registered SP endpoints; requests to unknown URLs in authentication flows indicate exploitation
5. Implement SAML response signature validation at all Service Provider endpoints to detect replayed or modified assertions
6. Consider network segmentation: restrict which systems can initiate SAML authentication flows to the Access Manager instance; unexpected external sources initiating authentication flows may indicate exploitation