SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

This report analyzes a privilege-escalation vulnerability in Microsoft SCCM's AdminService integration with Entra ID that allowed an attacker who can create or manipulate synchronized UPNs to impersonate Active Directory identities (including the site server machine account) and perform administrative actions across the SCCM hierarchy; the author documents code paths, a proof-of-concept, environment assumptions and caveats, and notes Microsoft patched the issue in hotfix KB35360093 (CVE-2025-59501).