CVE-2024-26201 is a vulnerability classified under CWE-284 (Improper Access Control) affecting Microsoft Intune Company Portal for Android, specifically version 1.0.0. The vulnerability allows an elevation of privilege due to improper access control mechanisms within the application. The Intune Company Portal app is a critical component used by organizations to manage and secure mobile devices, providing access to corporate resources and enforcing compliance policies. The vulnerability arises because the app does not adequately restrict certain privileged operations, potentially allowing a user with limited privileges (low-level privileges) to escalate their permissions within the app context. The CVSS 3.1 base score is 6.6 (medium severity), with the vector indicating that the attack requires local access (AV:L), low attack complexity (AC:L), privileges required are low (PR:L), and user interaction is required (UI:R). The scope remains unchanged (S:U), but the impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N). No known exploits are currently reported in the wild, and no patches or mitigations have been explicitly linked yet. The vulnerability was reserved in February 2024 and published in March 2024. This issue is significant because it could allow an attacker with limited access on an Android device enrolled in Intune management to gain unauthorized access to sensitive corporate data or manipulate device management policies, undermining the security posture of the managed environment.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of corporate data accessed or managed via Android devices enrolled in Microsoft Intune. Since Intune is widely used across enterprises for mobile device management (MDM), exploitation could lead to unauthorized access to sensitive information, including emails, documents, and internal applications. The elevation of privilege could also allow attackers to bypass compliance policies or deploy malicious configurations, potentially leading to data leakage or disruption of business processes. Given the reliance on mobile device management in sectors such as finance, healthcare, and government within Europe, the impact could be significant, especially where strict data protection regulations like GDPR apply. The lack of availability impact reduces the risk of service outages, but the high confidentiality and integrity impact still make this a serious concern. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, especially in scenarios where devices are lost, stolen, or accessed by malicious insiders.

1. Immediate mitigation should include restricting physical and local access to corporate Android devices enrolled in Intune to trusted users only, minimizing the risk of local exploitation. 2. Organizations should enforce strong device lock policies (PIN, biometric) and enable remote wipe capabilities to quickly respond to lost or stolen devices. 3. Monitor device logs and Intune management console for unusual privilege escalations or policy changes that could indicate exploitation attempts. 4. Educate users on the risks of interacting with suspicious prompts or applications that could trigger the vulnerability. 5. Until an official patch is released, consider limiting the deployment of Intune Company Portal version 1.0.0 on Android devices or use alternative management methods where feasible. 6. Coordinate with Microsoft support channels for updates and apply patches promptly once available. 7. Implement layered security controls such as endpoint detection and response (EDR) solutions on mobile devices to detect anomalous behavior. 8. Review and tighten access control policies within Intune to minimize privileges granted to users and applications.