CVE-2026-2915 — Microsoft Entra ID Privilege Escalation, Attackers Gaining Global Admin Without Credentials
CVE-2026-2915 has been added to the CISA KEV catalog, confirming active exploitation in the wild. Federal agencies are required to remediate. All organizations should treat this with equal urgency.
Microsoft confirmed active exploitation of CVE-2026-2915, a critical privilege escalation vulnerability in Microsoft Entra ID (formerly Azure AD) that allows attackers with any authenticated access to escalate to Global Administrator. Patch or apply mitigations immediately.
Vulnerability Overview
Microsoft disclosed CVE-2026-2915 on April 29, 2026, a critical privilege escalation vulnerability in Microsoft Entra ID that allows an attacker with any level of authenticated access to an Entra ID tenant to escalate their privileges to Global Administrator. The vulnerability exists in the Entra ID role assignment processing logic and can be exploited by sending a specially crafted API request. Global Administrator access in Entra ID is effectively the keys to the kingdom for any Microsoft 365 or Azure environment. Microsoft confirmed active exploitation in the wild and CISA added the CVE to its Known Exploited Vulnerabilities catalog.
What Attackers Can Do with Global Admin
Global Administrator access in Entra ID is effectively the keys to the kingdom for any Microsoft 365 or Azure environment. With Global Admin, an attacker can create new administrator accounts for persistent access, disable MFA for targeted accounts, access all email and files across the entire organization through Exchange and SharePoint, exfiltrate data from all Microsoft 365 services, modify conditional access policies to remove security controls, access all Azure resources and subscriptions, and reset passwords for any user including other administrators. In confirmed exploitation incidents, attackers have used this access to exfiltrate email archives, access SharePoint document libraries, and establish persistent backdoor access through new service principals.
Immediate Remediation Steps
Microsoft has released an emergency patch addressing CVE-2026-2915. Apply the patch through the Entra ID admin portal and Windows Update. After patching, conduct an immediate audit of your Global Administrator role assignments — go to Entra ID > Roles and administrators > Global Administrator and review every account listed. Remove any accounts that should not have this role. Review your Entra ID sign-in logs and audit logs for the past 30 days for signs of exploitation — look for unusual role assignments, new service principal creations, or bulk data access events. Enable Privileged Identity Management (PIM) if not already active to require just-in-time approval for Global Admin role activation.
Longer-Term Hardening
Beyond the immediate patch, use this incident as an opportunity to harden your Entra ID environment. Implement a policy of zero standing Global Admin access — use PIM to require time-limited, approval-based activation of the Global Admin role. Require phishing-resistant MFA (FIDO2) for all administrator accounts. Enable Entra ID Protection to detect and respond to risky sign-ins automatically. Configure Conditional Access policies that block access from unexpected locations or devices for privileged accounts. Regularly review all role assignments and service principal permissions. Segler.Net can assist with Entra ID security hardening and PIM implementation.
- Apply Microsoft's emergency patch via Windows Update and Entra ID admin portal immediately
- Audit your Entra ID Global Administrator role assignments — remove any accounts that should not have this role
- Review Entra ID sign-in logs for the past 30 days for unusual privilege escalation events
- Enable Privileged Identity Management (PIM) if not already active — require approval for Global Admin role activation
- CISA KEV confirmed — federal agencies have a mandatory remediation deadline, treat with equal urgency
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.