{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-privileged-identity-management-pim/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35430"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Privileged Identity Management (PIM)"],"_cs_severities":["high"],"_cs_tags":["privilege escalation","azure"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-35430 is an authorization bypass vulnerability affecting Azure Privileged Identity Management (PIM). An authorized attacker can exploit this vulnerability to elevate privileges over a network. This is achieved by manipulating a user-controlled key within the PIM system, leading to unauthorized access and control. This vulnerability poses a significant risk to organizations relying on Azure PIM for managing privileged access, potentially allowing attackers to compromise critical resources and data. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 8.8, indicating a high severity. Defenders should prioritize patching and monitoring for any suspicious activity related to PIM.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account with some level of authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the Azure PIM service as a potential target for privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers a user-controlled key within the Azure PIM configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the user-controlled key to bypass authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to activate a privileged role within Azure PIM.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated key, the attacker is granted the privileged role despite lacking proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to access and control network resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35430 allows an attacker to gain unauthorized privileged access within an Azure environment. This can lead to a complete compromise of the targeted network, including access to sensitive data, modification of critical configurations, and disruption of services. The impact is significant for organizations relying on Azure PIM to protect their infrastructure and data, potentially leading to substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by Microsoft for CVE-2026-35430 as soon as possible to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor Azure logs for any unauthorized attempts to activate privileged roles in PIM, using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with privileged access, to reduce the risk of initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:33:09Z","date_published":"2026-05-26T13:33:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-azure-pim-auth-bypass/","summary":"CVE-2026-35430 allows an authorized attacker to elevate privileges over a network in Azure Privileged Identity Management (PIM) through a user-controlled key.","title":"CVE-2026-35430 — Azure PIM Authorization Bypass via User-Controlled Key","url":"https://feed.craftedsignal.io/briefs/2026-05-azure-pim-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure Privileged Identity Management (PIM)","version":"https://jsonfeed.org/version/1.1"}