9% of Microsoft Entra SaaS Apps Still Vulnerable to nOAuth Exploits Two Years Post-Discovery

June 25, 2025
SaaS Security / Vulnerability

Recent findings highlight ongoing risks associated with a known security flaw in Microsoft Entra ID, which may allow malicious actors to execute account takeovers in certain software-as-a-service (SaaS) applications. Identity security firm Semperis analyzed 104 SaaS applications and discovered that nine remain vulnerable to Entra ID cross-tenant nOAuth abuse. Initially revealed by Descope in June 2023, nOAuth pertains to a flaw in the implementation of OpenID Connect (OIDC) by SaaS applications, which is an authentication layer built on OAuth for verifying user identities. This implementation flaw allows attackers to alter the mail attribute in an Entra ID account to that of a target, leveraging the app’s “Log in with Microsoft” feature to hijack the account. The attack is straightforward, exacerbated by Entra ID’s allowance for unverified email addresses, paving the way for user impersonation.

nOAuth Vulnerability Persists in 9% of Microsoft Entra SaaS Applications Two Years After Initial Identification

June 25, 2025

Recent findings have revealed that a previously identified security vulnerability within Microsoft Entra ID continues to pose risks for certain software-as-a-service (SaaS) applications, potentially allowing malicious entities to exploit these weaknesses and gain unauthorized access to accounts. Research conducted by the identity security firm Semperis examined 104 SaaS applications, discovering that nine of them remain vulnerable to cross-tenant nOAuth exploitation.

First highlighted by Descope in June 2023, nOAuth represents an oversight in the implementation of the OpenID Connect (OIDC) authentication framework, which serves as a crucial layer on top of the OAuth protocol for user identification. The flaw allows attackers to manipulate the mail attribute associated with an Entra ID account, substituting it with that of a targeted victim. Consequently, this enables malicious actors to utilize the application’s “Log in with Microsoft” feature to illegally access and commandeer accounts.

The simplicity of this attack vector is alarming; it capitalizes on the fact that Entra ID allows users to connect accounts with unverified email addresses. This loophole presents an opportunity for user impersonation, a scenario that could lead to severe security breaches and unauthorized data access. Given the widespread adoption of SaaS solutions, the impact of such breaches can extend beyond individual accounts, potentially affecting the integrity of an organization’s entire digital infrastructure.

In terms of targeted demographics, the victims of this vulnerability are primarily users of the affected SaaS applications, which may span various sectors, including finance, healthcare, and technology. The persistence of this vulnerability underscores a critical concern for organizations relying on Microsoft Entra ID for identity and access management.

From a cybersecurity perspective, the tactics associated with this form of attack can be mapped to the MITRE ATT&CK framework, providing insights into the methods adversaries might use. Initial access through credential manipulation and persistence techniques via account hijacking are significant areas of concern. Once an attacker gains foothold, they may escalate privileges, allowing them to conduct further unauthorized actions within compromised environments.

Business owners and IT security professionals must remain vigilant and proactive in addressing these vulnerabilities. Regular assessments of existing security measures and timely updates in response to disclosed vulnerabilities are essential strategies for safeguarding sensitive data and protecting against potential exploits.

As investigations progress and remedial measures are put in place, it remains paramount for organizations to stay informed about emerging threats. Continued awareness can reduce the likelihood of falling victim to such vulnerabilities and stregthen overall cybersecurity defenses in an increasingly complex digital landscape.

Source link

Related Posts

Citrix Issues Urgent Patches for Actively Exploited Vulnerability CVE-2025-6543 in NetScaler ADC

June 25, 2025
Vulnerability / Network Security

Citrix has launched critical security updates to address a significant vulnerability in NetScaler ADC, which is currently being exploited in the wild. This vulnerability, identified as CVE-2025-6543, has a CVSS score of 9.2 out of 10. It involves a memory overflow issue that could lead to unintended control flow and potential denial-of-service attacks. Successful exploitation requires the appliance to be set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The affected versions include:

  • NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
  • NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
  • NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

Citrix has indicated that vulnerabilities also impact “Secure Private Access on-prem or Secure Private Access Hybrid” deployments utilizing NetScaler instances.

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Major Vulnerability in Open VSX Registry Poses Supply Chain Risks for Millions of Developers

On June 26, 2025, cybersecurity analysts revealed a serious flaw in the Open VSX Registry (“open-vsx[.]org”), which, if exploited, could allow attackers to seize control of the entire Visual Studio Code extensions marketplace. This represents a significant supply chain threat. “This vulnerability gives attackers total authority over the extensions marketplace and, consequently, over millions of developer machines,” stated Oren Yomtov, a researcher at Koi Security. “By leveraging a CI issue, a malicious actor could release harmful updates to every extension available on Open VSX.” After responsibly disclosing the issue on May 4, 2025, the maintainers proposed several fixes, culminating in a final patch on June 25. The Open VSX Registry, an open-source alternative to the Visual Studio Marketplace, is maintained by the Eclipse Foundation and is used by various code editors, including Cursor, Windsurf, Google Cloud Shell Editor, and Gitpod.