alt Hacker NewsThe linked CVE has something that strikes me as odd. It marks this exploit's 'Attack Complexity' as 'High', meaning:
> A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).
But reading Dirk-jan's article, really all you need is basic admin knowledge of Entra ID etc., and the netId of any single user on the targetted environment, which can be found using brute force enumeration. The rest is public knowledge.
Strictly speaking the attacker would need to invest in some measurable amount of effort, but that seems like stretching the definition to make the CVE look less awkward.
In my personal experience as someone who has spent the last 6 years of his career in the security industry, almost nobody actually uses CVSS the way it is intended, they just almost arbitrarily tweak the CVSS inputs to produce an output they like.
You are correct that the attack complexity probably shouldn't be high in this case. But presumably the person calculating the CVSS score thought it was too high if attack complexity wasn't set to high.
CVSS has other issues, like people trying to apply it to things that are not vulnerabilities. I would ignore most CVSS scores you see and just read what the issue is instead and make your own judgement call.