CVE-2025-59501

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

For the vulnerability, this means the exploitation requires a specific and uncommon condition: an Active Directory user account must exist with a matching user principal name (UPN) that was not properly synchronized to Microsoft Entra ID.

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by modifying the user principal name (UPN) of a valid Microsoft Entra ID account or create a new Account to impersonate an Active Directory user with the same UPN that was not synchronized to Entra ID. Successful exploitation could allow the attacker to gain unauthorized administrative control over Microsoft Configuration Manager and its managed clients.

According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability?

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.