Azure Entra ID Elevation of Privilege Vulnerability
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), which means that a critical system function is accessible without requiring authentication. An attacker can remotely invoke this function without any privileges or user interaction and obtain elevated privileges in the Microsoft Azure Entra ID service.
An attacker can obtain unauthorized, elevated access to resources protected by Microsoft Azure Entra ID, potentially taking control of organizational identities, resources, and data.
Apply patches available from the vendor according to references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59246. It is recommended to continuously monitor Microsoft Security Response Center communications for detailed remediation instructions.
Microsoft Entra ID — versions indicated in vendor references (Microsoft Security Response Center).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Entra Id
APPMicrosoftwszystkie wersje
Related vulnerabilities
Błąd walidacji źródła w Microsoft Entra ID umożliwia privilege escalation
Obejście uwierzytelnienia w Microsoft Azure Active Directory B2C
Ujawnienie wrażliwych danych w Azure Entra ID umożliwiające spoofing
SSRF w Microsoft Entra ID Entitlement Management umożliwia spoofing
Microsoft Entra ID — Elevation of Privilege (nieautoryzowane podwyższenie uprawnień)