Microsoft has confirmed that critical vulnerability CVE-2025-21396 could enable attackers to access Microsoft accounts and enable an authentication bypass leading to an elevation of privilege and a hacked account. More details can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396
To be clear this vulnerability is now fixed.
Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:
“This new vulnerability released publicly by Microsoft is a reasonable demonstration of both responsible disclosure and effective response by the software vendor many depend on.
“First, it is a particularly significant vulnerability that enables escalation of privilege and authentication bypass. In other words, MS accounts can be commandeered by a threat actor.
“Second, it was never exploited in the wild and is no longer possible to exploit this vulnerability according to Microsoft’s announcement. This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
“The level of resilience demonstrated by the response to this missing authentication function by Microsoft is a positive thing for digital consumers. This is the way technology is supposed to work and the way enterprise software vendors establish trust in the marketplace.”
This is a great example of how things work. It got fixed. And the public was informed. Two thumbs up from me. We need to see more of this on a consistent basis.
Like this:
Like Loading...
Related
This entry was posted on February 4, 2025 at 2:30 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A Now Fixed But Critical Microsoft Accounts Authentication Vulnerability Enables Takeover
Microsoft has confirmed that critical vulnerability CVE-2025-21396 could enable attackers to access Microsoft accounts and enable an authentication bypass leading to an elevation of privilege and a hacked account. More details can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396
To be clear this vulnerability is now fixed.
Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:
“This new vulnerability released publicly by Microsoft is a reasonable demonstration of both responsible disclosure and effective response by the software vendor many depend on.
“First, it is a particularly significant vulnerability that enables escalation of privilege and authentication bypass. In other words, MS accounts can be commandeered by a threat actor.
“Second, it was never exploited in the wild and is no longer possible to exploit this vulnerability according to Microsoft’s announcement. This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
“The level of resilience demonstrated by the response to this missing authentication function by Microsoft is a positive thing for digital consumers. This is the way technology is supposed to work and the way enterprise software vendors establish trust in the marketplace.”
This is a great example of how things work. It got fixed. And the public was informed. Two thumbs up from me. We need to see more of this on a consistent basis.
Share this:
Like this:
Related
This entry was posted on February 4, 2025 at 2:30 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.