Vendor scorecard
Microsoft Identity
Microsoft Identity security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: microsoft
Product families
2
Open in latest
6
Inferred — see methodology
Last disclosure
May 13, 2025
01
Product categories
2 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| Active Directory / ADFSIdentity & Access Managementactive_directory, active_directory_federation_services, active_directory_domain_services | 5 | 4 | 4.0LOW | ||
| Entra / Identity SyncIdentity & Access Managementazure_active_directory_connect, entra_connect, defender_for_identity | 4 | 2 | 2.0.9.0MED |
02
Recent CVEs
11 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2025-26685(opens NVD record) | Medium | 6.5 | Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network. | May 13, 2025 |
| CVE-2022-22323(opens NVD record) | Medium | 6.5 | IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 218379. | Apr 27, 2022 |
| CVE-2022-22312(opens NVD record) | Medium | 6.5 | IBM Security Identity Manager (IBM Security Verify Password Synchronization Plug-in for Windows AD 10.x) is vulnerable to a denial of service, caused by a heap-based buffer overflow in the Password Synch Plug-in. An authenticated attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 217369. | Apr 27, 2022 |
| CVE-2021-36949(opens NVD record) | High | 7.1 | Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | Aug 12, 2021 |
| CVE-2019-1000(opens NVD record) | Medium | 5.3 | An elevation of privilege vulnerability exists in Microsoft Azure Active Directory Connect build 1.3.20.0, which allows an attacker to execute two PowerShell cmdlets in context of a privileged account, and perform privileged actions.To exploit this, an attacker would need to authenticate to the Azure AD Connect server, aka 'Microsoft Azure AD Connect Elevation of Privilege Vulnerability'. | May 16, 2019 |
| CVE-2018-16794(opens NVD record) | High | 8.6 | Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls. | Sep 18, 2018 |
| CVE-2017-8613(opens NVD record) | High | 8.1 | Azure AD Connect Password writeback, if misconfigured during enablement, allows an attacker to reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts aka "Azure AD Connect Elevation of Privilege Vulnerability." | Jun 29, 2017 |
| CVE-2015-1757(opens NVD record) | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in adfs/ls in Active Directory Federation Services (AD FS) in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 allows remote attackers to inject arbitrary web script or HTML via the wct parameter, aka "ADFS XSS Elevation of Privilege Vulnerability." | Jun 10, 2015 |
| CVE-2014-6331(opens NVD record) | Medium | 5.0 | Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability." | Nov 11, 2014 |
| CVE-2013-3185(opens NVD record) | Medium | 5.0 | Microsoft Active Directory Federation Services (AD FS) 1.x through 2.1 on Windows Server 2003 R2 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 allows remote attackers to obtain sensitive information about the service account, and possibly conduct account-lockout attacks, by connecting to an endpoint, aka "AD FS Information Disclosure Vulnerability." | Aug 14, 2013 |
| CVE-2013-1282(opens NVD record) | Medium | 5.0 | The LDAP service in Microsoft Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services allows remote attackers to cause a denial of service (memory consumption and service outage) via a crafted query, aka "Memory Consumption Vulnerability." | Apr 9, 2013 |
9 CVEs · 2 product families