Authentication Flaw in Himmelblau for Microsoft Azure Entra ID and Intune
CVE-2025-53013

5.2MEDIUM

Key Information:

Vendor

Himmelblau-idm

Status
Himmelblau
Vendor
CVE Published:
26 June 2025

What is CVE-2025-53013?

A flaw in Himmelblau allows users to authenticate to a Linux host with an invalid Hello PIN under offline conditions. This occurs due to a programming oversight where an expected TPMFail error transitions the system to an offline success state despite failing to unlock the Hello key. Consequently, while access is granted to the local system, Single Sign-On fails since tokens cannot be issued. This affects specific versions and is resolved in the later version 0.9.17. A recommended temporary workaround is available by disabling Hello PIN authentication.

Affected Version(s)

himmelblau >= 0.9.10, < 0.9.17

References

https://github.com/himmelblau-idm/himmelblau/security/adv...
x_refsource_CONFIRM
https://github.com/himmelblau-idm/himmelblau/commit/64b03...
x_refsource_MISC
https://github.com/himmelblau-idm/himmelblau/commit/78477...
x_refsource_MISC

CVSS V3.1

Score:
5.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53013 : Authentication Flaw in Himmelblau for Microsoft Azure Entra ID and Intune