Cyber Posture

CVE-2025-59246

Critical

Published: 09 October 2025

Published
09 October 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

Security Summary

CVE-2025-59246 is an elevation of privilege vulnerability in Azure Entra ID. Published on 2025-10-09T21:15:38.267, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables elevation of privileges, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft provides details on mitigation in its Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59246.

Details

CWE(s)
CWE-306

Affected Products

microsoft
entra id
all versions

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Unauthenticated network-accessible elevation of privilege in public-facing Azure Entra ID service directly enables T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References