A vulnerability was observed in Microsoft Entra ID (formerly Azure Active Directory) that lets malicious actors with local administrative privileges on a pass-through authenticator (PTA) agent bypass authentication controls, gaining unauthorized access to any synchronized Entra ID user.
Cymulate researchers explained in an Aug. 15 blog post that by manipulating the credential validation process, attackers can bypass security checks, which essentially turns the PTA agent into a “double agent” that lets attackers log in as any synced Entra ID user without knowing their actual password.
So instead of just letting users sign-in with the same password for on-premises and cloud apps, which is what the PTA was designed to do, it could potentially grant access to a Global Admin user, conceivably with full network privileges across the enterprise.
“While this vulnerability does not inherently grant global administrative rights, it provides a pathway for attackers to exploit existing privileged accounts,” said Sarah Jones, cyber threat intelligence research analyst at Critical Start. “To mitigate this risk, organizations must implement stringent security measures, including restricted access to PTA agent servers, robust password policies, and mandatory multi-factor authentication.
Tal Mandel Bar, product manager at DoControl, added that as cloud identity services become more central to enterprise operations, they're naturally becoming prime targets for attackers. In this case, Mandel Bar said the Cymulate researchers found a way to turn a trusted component — a PTA agent — into a backdoor, a classic case of abusing legitimate functionality for malicious purposes.
“If an attacker can exploit this vulnerability, they could potentially impersonate any user in the system, including those with the highest level of privileges,” said Manel Bar. “It's like being able to put on anyone's identity badge, even the CEO's. What's particularly worrying is how this vulnerability could enable lateral movement. In a complex enterprise environment with multiple subsidiaries or departments, an attacker could hop from one domain to another, potentially compromising the entire organization.”
Cymulate researchers said in the blog that they reported their initial findings to the Microsoft Security Response Center (MSRC) on July 5. The MSRC responded to the Cymulate researchers on July 19, explaining that the issue is not an immediate threat and of “moderate severity.” Microsoft also that they won’t issue a CVE for this problem, even though they plan to fix the code on their end, which is already in their backlog with no current ETA for the fix, according to the Cymulate researchers.
Efforts to reach Microsoft early Friday afternoon were unsuccessful.