A critical vulnerability in Microsoft\u2019s Entra ID continues to expose numerous enterprise applications, two years post-discovery. Semperis, an identity security provider, presented new findings regarding this threat at the TROOPERS25 conference held in Heidelberg, Germany on June 25, 2025.<\/p>\n
The analysis revealed that approximately 15,000 software-as-a-service (SaaS) applications may be vulnerable to the nOAuth flaw, a serious authentication issue that could lead to account takeovers and data exfiltration.<\/p>\n
Identified in June 2023, nOAuth is an authentication implementation flaw affecting Microsoft Azure AD multi-tenant Open Authorization (OAuth) applications. This flaw was uncovered by Descope through cross-tenant testing. OAuth is an open, token-based authorization framework that allows users to grant application access to their private resources without relinquishing their identity details.<\/p>\n
OpenID Connect (OIDC), built atop OAuth 2.0, enables applications to authenticate users and access basic profile details using JSON Web Tokens (JWT) for secure communication. The vulnerability emerges from Entra ID app configurations that accept unverified email claims as user identifiers\u2014an established anti-pattern according to OIDC standards. In such cases, an attacker only requires an Entra tenant and the target email address to seize control of the victim’s SaaS account.<\/p>\n
Moreover, conventional security measures, such as multifactor authentication (MFA), conditional access, and Zero Trust policies, are ineffective against this vulnerability.<\/p>\n
Semperis’s findings suggest that despite the discovery of nOAuth two years ago, many SaaS applications remain susceptible to this flaw. Approximately 10% of the total SaaS applications in circulation\u2014estimated at over 150,000\u2014could be impacted, equating to at least 15,000 enterprise SaaS applications at risk as of June 2025.<\/p>\n
The ongoing oversight by SaaS vendors appears to stem from a lack of understanding of the vulnerability and the difficulty enterprises face in defending against it, thereby enabling attackers to compromise accounts and extract sensitive data.<\/p>\n
Eric Woodruff, the Chief Identity Architect at Semperis, categorized this vulnerability as “severe” due to its low complexity and the challenge of defending against attacks. He emphasized that developers can inadvertently adopt insecure patterns without awareness and often lack the tools to identify such weaknesses. Consequently, customers are left without effective detection or prevention strategies, making the threat particularly insidious and enduring.<\/p>\n
While traditional vulnerability mitigation techniques do not address nOAuth, Semperis recommends several strategies to lessen the risks associated with this flaw:<\/p>\n
These steps are critical in mitigating the potential damage from this ongoing vulnerability and enhancing the overall security posture of enterprise applications.<\/p>\n","protected":false},"excerpt":{"rendered":"
A critical vulnerability in Microsoft\u2019s Entra ID continues to expose numerous enterprise applications, two years post-discovery. Semperis, an identity security…<\/p>\n","protected":false},"author":1,"featured_media":2345,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[129,109,108],"class_list":["post-2344","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-authentication","tag-software","tag-vulnerability"],"acf":[],"yoast_head":"\n