Black Hat USA 2026 Learn. Connect. Engage.

Traditional network perimeters are disappearing with the increased adoption of cloud infrastructure, SaaS applications, and remote workforces. As a result, solutions such as Teleport have emerged to provide secure access to distributed infrastructure and services, including emerging AI-driven access patterns. But what happens when a threat actor targets the very technology responsible for guarding remote access?

This talk explores the intersection of newly identified vulnerabilities and misconfigurations within Teleport, with a focus on the practical steps that can be taken when assessing environments that rely on it.

I’ll walk through the major components of a typical Teleport cluster deployment and how this differs from other zero-trust access services, laying the foundation for exploring potential weaknesses. Next, I’ll focus on post-exploitation scenarios that may arise during an assessment, from access to an endpoint, to attack-paths available from a compromised Node. In addition, I will provide details of several newly discovered vulnerabilities in Teleport, focusing on their practical use in attacks against a cluster.

By the end of this session, both offensive and defensive teams will have a clearer understanding of weaknesses in Teleport deployments, vulnerabilities in core areas of the platform, and the tooling and knowledge needed to support further research.

Coming from the field of enterprise security, performing privilege escalation and lateral movement by attacking Windows Integrated Authentication is our bread and butter. But as more and more companies are adopting cloud services, we decided to shift our attention to Passkeys, which are slowly but steadily becoming the norm. Surprisingly, our novel research has shown that some implementations of Passkey authentication are vulnerable to attacks fundamentally similar to Pass-the-Hash and NTLM Relay. We have therefore decided to call this category of attacks Pass-the-Passkey.

We have identified the Passkey implementation in a major cloud service to be vulnerable to the attacks the solution was designed to prevent. Moreover, we have discovered past signatures generated by YubiKeys being stored in cleartext form readable by authenticated unprivileged users, even remote ones. This chain of vulnerabilities allowed us to successfully impersonate privileged users while bypassing the enforcement of phishing-resistant MFA and remaining undetected by popular XDR solutions.

The tooling we developed to exploit these vulnerabilities can also be utilized to perform Passkey phishing, tampering, spoofing, fuzzing, and prompt flooding attacks. Some of these techniques can even be executed on compromised terminal hosts and/or virtual machines to which target identities are connecting. We will demonstrate the feasibility of these attacks using a popular C2 infrastructure.

As the WebAuthn specification mandates a 22-step Passkey validation process involving non-trivial cryptography and transactional processing, making a mistake while implementing the spec is easy, even for companies that co-authored the standard. We expect that by open-sourcing our tools, we will enable other penetration testers to discover many more web application vulnerabilities stemming from non-compliant Passkey verification procedures.

Windows Server Update Services (WSUS) sits at the heart of enterprise patch management, responsible for distributing updates across thousands of endpoints. Its privileged position in the network makes it a high-value target. A compromised WSUS server enables lateral movement, persistent footholds, and organization-wide implant deployment at scale.

This Briefing presents original research into a new Attack Path technique that results in full WSUS infrastructure takeover. We will walk through how security infrastructure itself can be weaponized, how existing controls can be bypassed, and how malicious update packages can be deployed for domain-wide code execution.

Attendees will leave with a clear understanding of the attack surface, practical remediation guidance, two new open-source tools, and a five part blog series which will be released alongside this Briefing. Defensive mitigations will be covered giving defenders actionable steps to harden their environments before attackers exploit the same techniques.