CVE-2024-43477 Overview
CVE-2024-43477 is an improper access control vulnerability [CWE-284] in Microsoft Entra ID Decentralized Identity Services. An unauthenticated remote attacker can disable Verifiable IDs belonging to another tenant. The flaw breaks tenant isolation and disrupts identity verification workflows that rely on Verifiable Credentials. Microsoft published the advisory on August 23, 2024.
The vulnerability carries a CVSS 3.1 score of 7.5 with an availability-only impact. No confidentiality or integrity loss occurs, but cross-tenant denial of service against Verifiable ID issuance and validation is achievable without authentication or user interaction.
Critical Impact
Unauthenticated attackers can disable Verifiable IDs on tenants they do not own, causing cross-tenant denial of service against identity verification workflows in Microsoft Entra ID.
Affected Products
- Microsoft Entra ID (Decentralized Identity Services)
- Microsoft Entra Verified ID
- Tenants relying on Verifiable Credentials issued through Entra ID
Discovery Timeline
- 2024-08-23 - CVE-2024-43477 published to NVD
- 2025-01-29 - Last updated in NVD database
Technical Details for CVE-2024-43477
Vulnerability Analysis
The vulnerability resides in Microsoft Entra Decentralized Identity Services, the component that issues and manages Verifiable IDs. Improper access control on a service endpoint allows requests from outside a tenant's trust boundary to act on objects owned by that tenant. Specifically, the service does not adequately validate that the caller has authorization to modify the targeted Verifiable ID configuration.
An attacker submits a crafted request that references a Verifiable ID belonging to a victim tenant. The service processes the request and disables the credential without first confirming caller identity or tenant ownership. Verification flows that depend on the disabled credential then fail, breaking downstream onboarding, access, and trust decisions.
The attack requires network access only. No prior authentication, no user interaction, and no elevated privileges are needed. The impact is limited to availability, but in identity-driven environments, loss of credential issuance and verification can halt business processes.
Root Cause
The root cause is missing or insufficient authorization checks [CWE-284] on a tenant-scoped management operation in Decentralized Identity Services. The service trusts request parameters to identify the target object without binding the operation to an authenticated tenant context.
Attack Vector
The attack is delivered over the network against the Decentralized Identity Services API. An attacker sends a request that targets the Verifiable ID identifier of another tenant. Because the endpoint is reachable without authentication and lacks ownership validation, the disable action succeeds. See the Microsoft Security Update CVE-2024-43477 for vendor details.
No public proof-of-concept exists. The EPSS score is 7.964% at the 92.2 percentile, reflecting elevated predicted exploitation interest relative to the broader CVE population.
Detection Methods for CVE-2024-43477
Indicators of Compromise
- Verifiable IDs transitioning to a disabled state without a corresponding administrative action in tenant audit logs
- Spikes in Verifiable Credential verification failures for previously healthy credentials
- Unexpected status changes on Verified ID configurations recorded in Entra audit logs
- Help desk reports of broken onboarding or access flows tied to Verifiable Credentials
Detection Strategies
- Correlate Entra ID audit events for Verified ID configuration changes against the identity of the administrator who initiated them
- Alert when a Verifiable ID is disabled and the originating principal is missing, anonymous, or outside the tenant
- Baseline normal Verified ID change frequency per tenant and flag deviations
Monitoring Recommendations
- Ingest Entra ID sign-in, audit, and Verified ID service logs into a centralized analytics platform
- Monitor VerifiedIdConfiguration and credential lifecycle events for unauthorized state transitions
- Track verification failure rates from relying parties as a downstream signal of disabled credentials
How to Mitigate CVE-2024-43477
Immediate Actions Required
- Confirm that the Microsoft service-side fix is applied. This vulnerability is in a Microsoft cloud service and is remediated by Microsoft. Review the Microsoft Security Update CVE-2024-43477 advisory for current status.
- Audit Verified ID configurations in each tenant and confirm that all credentials remain in the expected enabled or disabled state.
- Review Entra ID audit logs from before the patch date for unexplained Verifiable ID state changes.
Patch Information
Microsoft remediated CVE-2024-43477 server-side in the Decentralized Identity Services component of Microsoft Entra ID. No customer-installed patch is required. Tenants should still validate the integrity of existing Verifiable ID configurations and re-issue any credentials that were disabled without authorization.
Workarounds
- No customer-side configuration workaround is documented by Microsoft. The fix is delivered through the cloud service.
- For defense in depth, restrict relying-party trust to specific Verifiable ID issuers and monitor for unexpected status changes.
- Maintain incident response procedures to re-enable or re-issue Verifiable IDs quickly if a disable event is detected.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
