H3-2024-0051¶

Intune Mobile Device Management Remote Code Execution (RCE)

Description¶

Microsoft Intune is a cloud-based solution designed for managing endpoints, which can be exploited by attackers to achieve remote code execution (RCE). It helps control user access to organizational resources and streamlines the management of applications and devices across a range of platforms, including mobile devices, desktop computers, and virtual environments.

Impact¶

Attackers with privileged Azure credentials can execute arbitrary code on all managed devices with SYSTEM-level access, potentially compromising sensitive data, enabling lateral movement, and installing malware. This creates a severe threat to on-premises infrastructure, greatly expanding the scope and impact on the organization's entire environment.

References¶

• Death from Above: Lateral Movement from Azure to On-Prem AD
• MITRE ATT&CK Technique: T1072: Software Deployment Tools