← CIO Briefings · Critical Impact ACTION REQUIRED

Microsoft's Cloud Identity Platform Had a CVSS 10.0 Vulnerability — And Patched It Silently

A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management — the governance layer controlling access requests to Azure resources and Microsoft 365 — was disclosed and confirmed patched by Microsoft. No customer action is required. But the disclosure raises a governance question organisations cannot avoid: how do you detect exploitation of a vulnerability in cloud infrastructure you cannot inspect?

3 min read

What Happened

Microsoft disclosed CVE-2026-35431, a server-side request forgery vulnerability rated CVSS 10.0 — the highest possible score — in Entra ID Entitlement Management. This component controls which users can request access to Azure resources, Microsoft 365 groups, and SharePoint sites, and manages the approval and review workflows that govern that access across enterprise tenants.

The vulnerability allowed unauthenticated, network-accessible exploitation. An attacker could cause Microsoft’s cloud infrastructure to issue requests on their behalf — potentially enabling access to internal services, authentication tokens, or data within Microsoft’s cloud environment.

Microsoft applied a server-side fix. Customers do not need to install a patch or change any configuration. The system is protected.

Business Impact

  • Identity governance was the attack surface: Entitlement Management controls who gets access to what in your Microsoft environment. A successful attacker had a pathway to one of the most sensitive control points in enterprise cloud security.
  • Silent patching means silent exposure: Microsoft patched this server-side, which protects customers without requiring action. It also means customers have no visibility into whether the vulnerability was exploited before the fix was deployed. The exposure window is not publicly disclosed.
  • Audit logs are your only visibility: Organisations cannot inspect Microsoft’s cloud infrastructure directly. The only evidence of potential exploitation available to customers is anomalous activity in Entra ID audit logs — unusual Entitlement Management changes, unexpected access package modifications, or external identity additions that were not authorised.
  • Affects all Entra ID tenants: Entitlement Management is a standard component of Microsoft Entra ID used by organisations worldwide. There is no subset of “affected customers” based on configuration; all tenants using Entitlement Management were potentially exposed prior to the fix.

Board-Ready Summary

  • Microsoft’s cloud identity platform had a perfect-score vulnerability in the component that controls who gets access to your cloud resources and applications
  • Microsoft fixed it on their side — you do not need to install anything — but you also cannot determine whether it was exploited before the fix was applied
  • Your security team should audit identity governance activity from the past 30 days and confirm no unauthorised access grants occurred during the exposure window

Immediate — within 24 hours:

  1. Pull Entra ID audit logs for Identity Governance events covering the past 30 days. Look specifically for: unexpected access package creation or modification, new Connected Organisation additions (which grant access to external tenants), and approval policy changes made outside normal change windows
  2. Verify that the Entitlement Management Administrator and Identity Governance Administrator roles are assigned only to expected accounts — run a Privileged Identity Management role assignment review if your tenant has PIM enabled

Within 48 hours: 3. Review all active access package assignments for external (B2B guest) identities — confirm each guest organisation and user is expected and currently required 4. Audit Conditional Access policies covering administrative Entra ID roles — ensure Entitlement Management admin access requires MFA and is restricted to compliant devices or privileged access workstations

Ongoing: 5. Subscribe to Microsoft Security Response Center advisories for Entra ID and Microsoft Identity Platform — silent cloud service patches are only discoverable through MSRC notifications 6. Build Entitlement Management audit log alerting into your SIEM — anomalous identity governance activity is detectable if you are monitoring for it; it is invisible if you are not