Impact An unauthenticated remote attacker who can place a SOAP header lexically before "wsse:Security" can embed a "ds:Signature" of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header. Preconditions Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs a "ds:Signature" whose "KeyInfo" resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment. Patches Fixed in CoreWCF v1.8.1 and v1.9.1 Workarounds Use a security token resolver that only accepts references to issuer-pinned X.509 chains (the default when expecting a static set of signing certificates).