Full Report
Semperis estimates that at least 15,000 enterprise SaaS applications are still vulnerable to a flaw discovered in 2023
Analysis Summary
Vulnerability research specialist summary based on the context provided:
# Vulnerability: Microsoft Entra ID nOAuth Authentication Flaw Leading to SaaS Account Takeover
## CVE Details
- CVE ID: Not explicitly provided in excerpt, but related to a flaw discovered in June 2023. If this is the publicly disclosed flaw, it is likely related to **CVE-2023-36885** or similar nOAuth bypasses.
- CVSS Score: Not explicitly stated, but described as a **severe authentication flaw** leading to account takeovers.
- CWE: Authentication Bypass (Implied, related to improper validation of OAuth claims).
## Affected Systems
- Products: Microsoft Entra ID (formerly Azure AD) multi-tenant Open Authorization (OAuth) applications.
- Versions: Not specified, but affects applications configured incorrectly.
- Configurations: Applications using Entra ID authentication that permit **unverified email claims as user identifiers** in OpenID Connect (OIDC) configurations (an anti-pattern).
## Vulnerability Description
The nOAuth vulnerability is an authentication implementation flaw in Microsoft Entra ID multi-tenant OAuth applications. It is exploited when an application configuration allows unverified email claims (as specified in the JWT token) to be accepted as the user identifier, violating OpenID Connect standards. An attacker only needs an Entra tenant and the target user's email address to bypass authentication checks and potentially assume control of accounts within the targeted SaaS application.
## Exploitation
- Status: The flaw was **discovered in June 2023** through cross-tenant testing, and findings about ongoing exposure were shared in June 2025. Exploitation status in the wild is not explicitly confirmed in the summary, but the sustained risk suggests active threat actor interest.
- Complexity: Low (Requires only an Entra tenant and target email address for the attack formulation).
- Attack Vector: Network (Remote authentication manipulation).
## Impact
- Confidentiality: High (Potential for account takeover leading to data exfiltration).
- Integrity: High (Potential to modify data or configurations via compromised accounts).
- Availability: Medium to High (Depending on the criticality of the compromised SaaS application).
## Remediation
### Patches
- Specific patch details or version numbers are not provided in this summary, as the focus is on the persistence of the issue two years after initial discovery. Organizations managing affected SaaS applications must consult Microsoft advisories regarding configuration remediation or necessary updates.
### Workarounds
- Organizations should **review and correct Entra ID app configurations** that permit unverified email claims as user identifiers, ensuring adherence to OpenID Connect standards.
- Limit application consent where possible.
## Detection
- Indicators of compromise (IoCs) would involve monitoring logs for successful authentications via OAuth flows that utilize improperly validated identity claims or unauthorized access attempts on linked SaaS applications.
- Detection methods involve **cross-tenant security auditing** focused on OIDC/OAuth configurations within Entra ID.
## References
- Vendor Advisories: Reference should be made to Microsoft security advisories issued around June 2023 (and subsequent updates) regarding Entra ID OAuth configuration risks.
- Relevant links:
- Initial discovery reference: descope dot com/blog/post/noauth
- News source: infosecurity-magazine dot com/news/microsoft-noauth-flaw-2025/