Cyber Resilience

CVE-2026-24305

Critical

Published: 22 January 2026

Published
22 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0050 38.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24305 is a critical-severity Improper Authorization (CWE-285) vulnerability in Microsoft Entra Id. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-24305 is an Elevation of Privilege vulnerability in Azure Entra ID. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and is linked to CWE-285 (Improper Authorization).

The vulnerability can be exploited by an unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality disclosure, low-impact integrity modification, and a scope change to high, allowing the attacker to elevate privileges within the affected Azure Entra ID environment.

Microsoft's Security Response Center advisory provides details on mitigation and patching at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24305.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Azure Entra ID Elevation of Privilege Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct EoP vulnerability in public-facing Azure Entra ID service enables unauthenticated network exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59246Same product: Microsoft Entra Id
CVE-2026-35431Same product: Microsoft Entra Id
CVE-2025-55241Same product: Microsoft Entra Id
CVE-2026-40379Same product: Microsoft Entra Id
CVE-2025-26683Same vendor: Microsoft
CVE-2025-64655Same vendor: Microsoft
CVE-2025-53792Same vendor: Microsoft
CVE-2025-24053Same vendor: Microsoft
CVE-2025-21348Same vendor: Microsoft
CVE-2026-27912Same vendor: Microsoft

Affected Assets

microsoft
entra id
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to resources, directly countering the improper authorization (CWE-285) that enables unauthenticated privilege elevation in Azure Entra ID.

prevent

Applies least privilege to restrict the scope and impact of any successful privilege escalation within the Azure Entra ID environment.

prevent

Requires timely identification, reporting, and remediation of flaws like CVE-2026-24305 through patching as advised by Microsoft's Security Response Center.

References