CVE-2025-49012

Name of the Vulnerable Software and Affected Versions Himmelblau versions 0.9.0 through 0.9.14 Himmelblau version 1.00-alpha

Description Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. The issue arises when Entra ID group-based access restrictions are configured using group display names instead of object IDs. This allows a user to create a personal group with the same name as a legitimate access group, add themselves to it, and be granted authentication or sudo rights by Himmelblau. The problem occurs because affected Himmelblau versions compare group names by either displayName or by the immutable objectId, enabling bypassing of access control mechanisms intended to restrict login to members of official, centrally-managed groups.

Recommendations For Himmelblau versions 0.9.0 through 0.9.14, replace all entries in pam allow groups with the objectId of the target Entra ID group(s) to mitigate the issue. For Himmelblau version 1.00-alpha, replace all entries in pam allow groups with the objectId of the target Entra ID group(s) to mitigate the issue. As a general mitigation measure, audit your tenant for groups with duplicate display names using the Microsoft Graph API. Update to Himmelblau version 0.9.15 or later, where group name matching in pam allow groups has been deprecated and removed, and only group objectId(s) (GUIDs) may be specified for secure group-based filtering.