Microsoft patches vulnerability with highest risk rating in Entra ID

In the cloud-based identity management system Entra ID (Entitlement Management), Microsoft has closed a critical security vulnerability with the highest risk rating, CVSS 10.0 out of 10. Attackers could exploit the vulnerability for spoofing attacks.

Microsoft has published a vulnerability advisory. The security vulnerability with the entry CVE-2026-35431 (CVSS 10.0, risk “critical”) was reportedly closed by the company last Thursday. It is a Server-Side Request Forgery (SSRF), which allows attackers from the external network to gain access to resources within the protected (local) network area. Unauthorized malicious actors could have thus carried out spoofing attacks.

Concrete details are scarce

However, Microsoft does not explain how attacks would look exactly or what exactly attackers could have spoofed. However, the highest risk rating suggests that compromising networks was apparently possible – and quite easily.

According to Microsoft, the vulnerability was not previously publicly known and had not yet been exploited. Admins and IT managers also do not need to take any action, as Microsoft employees have already fixed the problem server-side.

It is not unusual for Microsoft to close security vulnerabilities in its cloud systems, thereby automatically protecting customers. At the beginning of February, for example, the company patched security flaws in the multi-cloud management solution Azure Arc, the serverless development environment Azure Functions, and the Content Delivery Network (CDN) Azure Front Door. One was also considered a critical risk, and two were considered highly risky. Attackers could have used these to gain higher user privileges or access to protected information.

(dmk)