Thursday, May 15, 2025
HomeSecurity HackerNew Microsoft ADFS Protocol Vulnerability allow Hackers to Compromise the Entire Organization...

New Microsoft ADFS Protocol Vulnerability allow Hackers to Compromise the Entire Organization Network

Published on

SIEM as a Service

Follow Us on Google News

New vulnerability discovered in Microsoft Active Directory Federated Services (ADFS) protocol that integrated with Multifactor authentication service allows an attacker to compromise the entire network of the target organization.

This Flaw allows two-factor authentication that used in one account can be used for the all accounts in the organization, so if the single user will be compromised then it leads to taking over all other accounts in the organization.

Most of the organization using multi-factor authentication along password that including phone or tokens in order to protect their network.

- Advertisement - Google News

But if the attacker will compromise the single users account password and two factor then the same two-factor authentication can be used for the entire organization due to this weakness in the MFA protocol for Microsoft’s authentication system.

This is a very valuable option for an attacker who gained the limited access to the target and expands the attack.

How does this ADFS Vulnerability works

Let’s assume that Alice and Bob working in the same company and both are in the same Actvice directory.

Initially, an attacker gains the Alice Username/Password, and the attacker also gain Bob’s both username/password and the second factor.

An attacker could be an insider threat or low privileged accounts, or the attack could social engineering else reaching helpdesk to reset the second-factor authentication.

some time attacker using phishing attack, brute-force, and other methods based on the privilege capability to gain the username and password from Alice.

Later external attackers can also gain the Bob username/password using same social engineering method which contains no second-factor authentication.

Attacker set their own phone as a second factor if Bob is not enrolled in a second factor, so MFA provider will go through the enrollment process with the attacker.

This grants the attacker access to Bob’s account. Alongside the credentials stolen from Alice, the attacker has now fulfilled the requirements for exploiting this vulnerability.

According to the researchers, While phone notifications are a concrete example, the attack works equally well with other forms of the second factor. The MFA Context and MFA Token are used by the AD server and the MFA provider to coordinate the second-factor authentication flow.

A similar sequence occurs when the attacker submits Bob’s username and password. The attacker receives a session cookie, MFA Context and MFA Token for Bob. However, this time the attacker can complete the second-factor authentication flow for Bob’s token. This involves sending Bob’s token to the MFA provider, which then sends a notification to the attacker’s phone, where the attacker can press “Approve”. The MFA provider then records that the flow for Bob’s token has been approved.

This vulnerability is best addressed within ADFS and it likely affects all MFA products for ADFS.

After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. See CVE-2018-8340. and Organizations running Microsoft ADFS are advised to patch their systems.

Also, you can read the complete Attack process of this vulnerability and its execution flow Here.

Also Read:

Microsoft Edge Browser Vulnerability Allows Malicious Hackers Steal Your Computer Local Files

Let’s Encrypt Root Certificate Now Directly Trusted by Microsoft and all Major Root Programs

Hackers Distributing FELIXROOT Backdoor Malware using Microsoft Office Vulnerabilities

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Coinbase Data Breach – Customers Personal Info, Government‑ID & Transaction Data Exposed

Coinbase, the largest cryptocurrency exchange in the United States, has disclosed a significant cybersecurity...

Inside Turla’s Uroboros Infrastructure and Tactics Revealed

In a nation-state cyber espionage, a recent static analysis of the Uroboros rootkit, attributed...

CISA Alerts on Five Active Zero-Day Windows Vulnerabilities Being Exploited

Cybersecurity professionals and network defenders, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...

Intruder vs. Acunetix vs. Attaxion: Comparing Vulnerability Management Solutions

The vulnerability management market is projected to reach US$24.08 billion by 2030, with numerous...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs...

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...