Category: Blog

Exposure Risk Update: Dormant SaaS, Patch Noise, and a 26M-Record Cloud Leak

Exposure Risk Update: Dormant SaaS, Patch Noise, and a 26M-Record Cloud Leak

Weekly Exposure Management Brief – July 22, 2025 | Published by NorthStar.io

1. Dormant SaaS Accounts: The Next External Exposure?

A new advisory from Semperis warns that 10% of Microsoft Entra-integrated SaaS applications remain vulnerable to a flaw called nOAuth, which allows full account takeover via misconfigured authentication flows.

📰 Read the June 25, 2025 disclosure from Semperis

Why it matters: Dormant SaaS services are often excluded from asset inventories. Attackers actively look for forgotten accounts or exposed OAuth flows to hijack.

  • Continuously scan Entra ID–connected SaaS apps
  • Deactivate stale service accounts
  • Audit OAuth and OIDC settings for insecure redirect URIs

➡️ NorthStar’s Exposure Mapper identifies external-facing risks—even for assets your CMDB doesn’t know exist.

2. Critical CVEs With Low Real Exposure

The July Patch Tuesday dropped 130+ CVEs, including 10 marked critical. However, NorthStar’s telemetry showed that less than 2% of enterprise assets were externally exposed to any of them.

  • CVE‑2025‑49695–49702 – Office Preview Pane RCE
  • CVE‑2025‑49704 – SharePoint RCE
  • CVE‑2025‑49717 – SQL Server RCE
  • CVE‑2025‑47981 – SPNEGO RCE (CVSS 9.8)

📊 Exposure-Aware Breakdown

 

Exposure Risk Update July 2025

➡️ NorthStar’s Risk Engine ingests CVE, CVSS, exposure, and control context—surfacing the ~2% of “critical + exposed” issues you actually need to fix.

3. Mass Exposure: 26 Million Resumes Publicly Leaked

On July 9, 2025, a misconfigured Azure Blob storage container at U.S.-based recruiting firm TalentHook exposed nearly 26 million resumes containing PII and job history.

📰 Read the full breach analysis via ITPro

Why it matters:

  • Misconfigured cloud storage is a top vector for public data leaks
  • Attackers exploit overly permissive access for phishing and identity theft
  • Exposures often go undetected for weeks due to lack of drift monitoring

What to do:

  1. Audit permissions on all cloud storage (Azure, AWS, GCP)
  2. Enforce least-privilege access and disable anonymous access
  3. Monitor configuration drift to catch permission changes in real-time

➡️ NorthStar’s Continuous Exposure Mapper flags misconfigured storage buckets and alerts your team before attackers find them.

🛠️ Want to See Your Exposure Map?

Book a 15-minute Exposure Review and let NorthStar show you what you’re missing.