Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. A vulnerability present in versions 0.9.10 through 0.9.16 allows a user to authenticate Linux host via Himmelblau using *invalid* Hello PIN, provided the offline. While gains access local system, Single Sign-On (SSO) fails due network being down inability issue tokens (due failure unlock key). The core lies incorrect assumption within `acquire_token_by_hello_for_business_key` function: it was expected return `TPMFail` error invalid key when offline, but instead, preceding nonce request resulted `RequestFailed` error, leading system erroneously transition offline success state without validating unlock. This impacts systems authentication operating with PIN enabled. Rocky 8 (and variants) are not affected by this vulnerability. problem resolved version 0.9.17. workaround available users who cannot immediately upgrade. Disabling setting `enable_hello = false` `/etc/himmelblau/himmelblau.conf` will mitigate