Description
Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-05-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exposes sensitive information in Azure Entra ID, allowing an attacker to perform spoofing over a network. The breach enables an unauthorized actor to impersonate legitimate users or services, potentially gaining unauthorized access to protected resources. The weakness is classified as CWE-200, indicating an information exposure flaw that can be leveraged for authentication bypass.

Affected Systems

Microsoft Enterprise Security Token Service (ESTS) is affected. No specific version information is provided in the available data, so all deployments of ESTS with the exposed functionality are at risk.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability is considered critical. The EPSS score is not available, but the absence of a KEV listing does not reduce the likelihood of exploitation. The attack vector is inferred to be network-based, requiring that an attacker can send crafted requests to the ESTS endpoint to obtain forged tokens or other identifying information. Given the high severity and potential for impersonation, the risk to confidentiality, integrity, and availability is significant.

Generated by OpenCVE AI on May 12, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft-published security update for Microsoft Enterprise Security Token Service.
  • Restrict network access to the ESTS endpoints using firewalls or subnet segmentation so that only trusted systems may reach the service.
  • Enable and monitor audit logs for ESTS authentication flows to detect suspicious token issuance or attempted spoofing.

Generated by OpenCVE AI on May 12, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft entra Id
CPEs cpe:2.3:a:microsoft:entra_id:-:*:*:*:*:*:*:*
Vendors & Products Microsoft entra Id

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability Azure Entra ID Spoofing Vulnerability
First Time appeared Microsoft microsoft Entra Id
CPEs cpe:2.3:a:microsoft:azure_enterprise_security_token_service:*:*:*:*:*:*:*:* cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*
Vendors & Products Microsoft microsoft Entra Id

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability
First Time appeared Microsoft
Microsoft azure Enterprise Security Token Service
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:azure_enterprise_security_token_service:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Enterprise Security Token Service
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Enterprise Security Token Service Entra Id Microsoft Entra Id
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:32:19.151Z

Reserved: 2026-04-11T23:06:15.615Z

Link: CVE-2026-40379

cve-icon Vulnrichment

Updated: 2026-05-12T19:08:57.821Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:16.663

Modified: 2026-05-21T18:48:48.500

Link: CVE-2026-40379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses