ctipilot.ch
← Back to Daily brief 2026-07-18
NOTABLECVE-2026-54733NATOA2vulnerability

Moodle local_o365 plugin: unverified JWT signature on the Teams SSO endpoint lets anyone authenticate as any user (CVE-2026-54733)

discovered 2026-07-18 13:30 UTCrun 2026-07-18T1208Z-audit2 sourcessingle-source

BSI CERT-Bund's advisory WID-SEC-2026-2400 (severity "hoch") surfaced CVE-2026-54733 in local_o365, the official Microsoft 365 / Entra ID integration plugin for Moodle, disclosed through Microsoft's own repository advisory published 2026-07-06 (GitHub Security Advisory, 2026-07-06) and surfaced in-window by BSI CERT-Bund's advisory WID-SEC-2026-2400 (2026-07-16/17, BSI CERT-Bund, 2026-07-16). The flaw (CWE-347, improper verification of cryptographic signature) sits in sso_login.php, the plugin's Microsoft Teams single-sign-on endpoint: the code base64-decoded an incoming JWT and authenticated the user from its upn (user principal name) claim alone — "the signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload" (GitHub Security Advisory, 2026-07-06). The consequence is a pre-auth impersonation primitive: "an unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim" and be logged in as that user — a site administrator included, which the advisory summarizes as effectively full site takeover. Institutional address books make the prerequisite trivial: most UPNs follow guessable naming conventions. Fixed in plugin versions 4.5.6, 5.0.5 and 5.1.1; the GitHub CNA scores it CVSS 4.0 9.3 (GitHub Security Advisory, 2026-07-06). No in-the-wild exploitation is reported by any fetched source.

The signature component was extracted but never verified. Authentication proceeded solely on the upn claim value in the unvalidated payload.

An unauthenticated remote attacker who knows (or can enumerate) any O365-authenticated user's email address can forge a JWT with an arbitrary upn claim.

Microsoft o365-moodle GitHub Security Advisory 2026-07-06

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Microsoft Office 365 (Moodle Plugin) ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Benutzer zu imitieren und sich so erweiterte Berechtigungen, einschließlich Administratorzugriff, zu verschaffen.

BSI CERT-Bund 2026-07-16

ATT&CK mapping

3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1078Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

overlap matrix · ATT&CK page ↗

T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1078Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1078Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1078Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1606Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.