Summary

Inforcer responded professionally, delivering a hot patch within three hours of being notified of the vulnerability, demonstrating a strong commitment to security.

Inforcer is a UK-founded technology company that provides multi-tenant management solutions for Managed Service Providers (MSPs) focused on Microsoft 365 environments. Its platform enables MSPs to standardise and automate security policies, streamline configuration, and maintain compliance across multiple tenants at scale. By bridging gaps in Microsoft’s native tools, Inforcer helps MSPs reduce risk, eliminate human error, and deliver proactive, cloud-first services built on Microsoft technologies like Intune, Defender, and Entra ID.

Impact

The vulnerability allows an authenticated user with low privileges to enumerate and access sensitive tenant information belonging to other clients by simply modifying the tenant ID in the request. This exposes sensitive data such as tenant identifiers, DNS names, application IDs, and notification email addresses, which could facilitate targeted attacks, social engineering, or further compromise of the affected tenants. The cross-tenant data disclosure significantly undermines confidentiality and breaches isolation guarantees in a multi-tenant environment.

Details

The /tenants/{id} API endpoint failed to enforce proper authorisation checks, allowing an authenticated user to access tenant details belonging to other clients by simply incrementing the tenant ID in the request URL. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability.

The request did require authentication; however, no validation was performed to ensure that the requesting user was authorised to view the specified tenant. As a result, sensitive information such as tenant identifiers, DNS names, application IDs, and notification email addresses could be retrieved for any tenant within the system.

The following request demonstrates the issue, where changing the numeric ID in the path parameter grants access to another client’s tenant details:

GET /tenants/[valid numeric tenant ID] HTTP/1.1
Host: sso-uk-inforcer.com
Cookie: [valid session cookie]

• clientTenantId 
• dnsName 
• applicationId 
• notificationAddress 

Recommendation

Implement strict authorisation checks on all tenant-related API endpoints to ensure that users can only access resources explicitly associated with their account or organisation. This should include validating the tenant ID against the authenticated user’s permissions on the server side, rather than relying on client-supplied identifiers. Additionally, consider introducing indirect object references (e.g., opaque identifiers or GUIDs) instead of sequential numeric IDs to reduce the risk of enumeration. Regular access control testing and automated security checks should also be integrated into the development lifecycle to prevent similar issues in the future.

Timeline

• SilvaTech notified vendor 1^st October 2025 @ 17:35 BST.
• Vendor acknowledged vulnerability 1^st October 2025 @ 19:09 BST.
• Patch published by vendor 1^st October 2025 @ 20:08 BST.
• SilvaTech retested and confirmed resolved 2^nd October 2025.
• Advisory published 29^th October 2025.

Thanks to

Liam Glanfield and Ben Street at SilvaTech Solutions Ltd.

Return to all Insights