CVE-2025-54882 is a high-severity vulnerability affecting the himmelblau interoperability suite for Microsoft Azure Entra ID and Intune. Specifically, versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0 of himmelblau improperly store the cloud Ticket Granting Ticket (TGT) received during user logon in the Kerberos credential cache. The critical issue is that the credential cache collection and the credentials themselves are stored with world-readable permissions, meaning any user on the system can read these sensitive authentication tokens. This vulnerability is categorized under CWE-522, which refers to insufficiently protected credentials. The improper permission settings allow unauthorized local users to access Kerberos tickets, potentially enabling them to impersonate legitimate users or escalate privileges within the network. The vulnerability does not require user interaction but does require low-level privileges (local access with limited privileges). The CVSS 3.1 base score is 7.1, reflecting high severity due to the high impact on confidentiality and integrity, though availability is not affected. The scope remains unchanged as the vulnerability affects only the local system. The issue has been fixed in himmelblau versions 0.9.22 and 1.2.0, where the credential cache permissions have been corrected to restrict read access to owners only. No known exploits are currently reported in the wild. As a workaround, administrators are advised to manually remove read permissions for all users except the owners on the himmelblau credential caches to mitigate risk until patches are applied.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of authentication credentials within environments using himmelblau for Azure Entra ID and Intune interoperability. Unauthorized local users gaining access to Kerberos TGTs can impersonate legitimate users, potentially accessing sensitive resources and data, leading to data breaches or lateral movement within corporate networks. Given the integration with Microsoft Azure Entra ID and Intune, which are widely used for identity and device management in enterprises, exploitation could undermine trust in identity federation and device compliance enforcement. This is particularly critical for organizations handling sensitive personal data under GDPR, as unauthorized access could lead to regulatory non-compliance and substantial fines. The vulnerability requires local access with limited privileges, so insider threats or attackers who have already compromised a low-privilege account pose the greatest risk. The lack of user interaction needed means exploitation can be automated once local access is obtained. Although no public exploits are known yet, the high impact on confidentiality and integrity warrants urgent attention in European enterprises relying on himmelblau for identity management.

1. Immediate patching: Upgrade himmelblau to versions 0.9.22 or later (including 1.2.0) where the credential cache permissions are properly restricted. 2. Access control hardening: Until patches are applied, manually restrict read permissions on the Kerberos credential cache files created by himmelblau so that only the owner has read access. Use OS-level access control lists (ACLs) or file permission commands to enforce this. 3. Monitor local user activity: Implement enhanced monitoring and alerting for unusual local access patterns or attempts to read credential caches. 4. Limit local user privileges: Enforce the principle of least privilege to reduce the number of users with local access rights that could exploit this vulnerability. 5. Network segmentation: Isolate critical systems running himmelblau to limit lateral movement if credentials are compromised. 6. Incident response readiness: Prepare to investigate and respond to potential credential theft incidents, including Kerberos ticket misuse. 7. Educate administrators and users about the risk of local credential exposure and the importance of applying updates promptly.