CVE-2026-57100

critical
Published 2026-07-02 ยท Modified 2026-07-02
CVSS v3
9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
9.9

Description

Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.

Predictions

Exploit likelihood
98%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Microsoft Security Response Center ยท View original โ†— ยท proprietary-no-redistribution
Full prose not cached โ€” VIR stores only structured fields (affected/fixed versions, references) for this source. Click "View original" above for the vendor's full advisory.

Affected

VendorProductVersion
microsoftMicrosoft Exchange Online
microsoftAzure Synapse
microsoftAzure Open AI
microsoftMicrosoft 365 Copilot
microsoftazl3 kernel 6.6.139.1-1 on Azure Linux 3.0
microsoftazl3 kernel 6.6.143.1-1 on Azure Linux 3.0
microsoftMicrosoft Entra Provisioning Service
microsoftazl3 runc 1.3.3-2 on Azure Linux 3.0

OS impact

windows Windows Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”

References

CWEs

CWE-918

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.