The vulnerability stems from improper privilege management within Azure Entra ID, enabling an unauthorized attacker to gain elevated privileges across a network. This privilege escalation can allow the attacker to act with higher–level permissions, facilitating unauthorized access to protected resources, modification of data, or compromise of system integrity. The weakness is identified as CWE‑269.

Affected systems include Microsoft Global Secure Access (GSA) provided by Microsoft. While the CVE does not specify particular versions, the issue exists within the Azure Entra ID component of GSA. Administrators should confirm whether their deployment is using a version that may incorporate the affected component, especially if they rely on Azure Entra ID for identity and access management.

The CVSS score of 7.5 indicates a high severity risk, but EPSS is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a network‑based attacker exploiting the privilege management flaw through Azure Entra ID services. The lack of patch status in the data suggests that users should seek current patches or guidance from Microsoft to mitigate this risk.