Two-year-old Microsoft nOAuth vulnerability persists, compromising SaaS applications' security.
In a shocking revelation, a new security vulnerability known as nOAuth has been discovered, affecting at least 15,000 software-as-a-service (SaaS) applications. This vulnerability, first uncovered by Descope in June 2023, was shared by Semperis at the TROOPERS25 conference in Heidelberg, Germany on June 25.
The nOAuth vulnerability is an authentication implementation flaw that affects Microsoft Azure AD multi-tenant Open Authorization (OAuth) applications. It allows attackers with an Entra tenant and the target's email address to assume control of the victim's SaaS account, potentially leading to account takeovers and data exfiltration.
Sadly, traditional safeguards such as multifactor authentication (MFA), conditional access, and Zero Trust policies are unable to protect against this vulnerability. Eric Woodruff, Semperis' Chief Identity Architect, ranks the nOAuth vulnerability as "severe" due to its low complexity and the fact that it is impossible to defend against without specific measures.
Woodruff also stated that the vulnerability is easy for developers to inadvertently introduce without realizing it, and that customers often have no way to detect or stop the attack. As of June 2025, there is no public information available about SaaS providers that had not addressed the nOAuth security vulnerability.
To combat this threat, Semperis recommends that SaaS vendors follow Microsoft's recommendations to prevent nOAuth abuse. They also advise developers to implement necessary fixes to protect their customers. Organizations should have deep log correlation across both Entra ID and the SaaS platform to detect nOAuth abuse.
Semperis estimates that at least 10% of the over 150,000 SaaS applications in use are still vulnerable to the nOAuth vulnerability in June 2025, totaling at least 15,000 enterprise SaaS applications. This alarming figure underscores the urgent need for developers and SaaS vendors to address this vulnerability and protect their users from potential attacks.
Stay vigilant, and remember, your digital security is your responsibility. Keep your software updated, and be aware of the latest threats to ensure your data remains safe.
Read also:
- Web3 gaming platform, Pixelverse, debuts on Base and Farcaster networks
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Infiltration of Estonian airspace by Russian military aircraft
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
