Microsoft confirms 10/10 Azure vulnerability.
SOPA Images/LightRocket via Getty Images
Update, May 11, 2025: This story, originally published May 9, has been updated with more details on the move towards greater cloud Common Vulnerabilities and Exposures (CVE) transparency by both Microsoft and Google.
It’s not often that a truly critical security vulnerability emerges that hits the maximum Common Vulnerability Scoring System severity rating of 10. This is one of those times.
Microsoft has confirmed multiple vulnerabilities rated as critical and impacting core cloud services, one of which has reached the unwelcome heights of that 10/10 criticality rating. The good news is that none are known to have been exploited in the wild, none have already been publicly disclosed, and as a user, there’s nothing you need to do to protect your environment.
ForbesDark Web Alert — 2.9 Billion Passwords, 14 Million Credit Cards StolenBy Davey Winder
Critical Security Vulnerabilities Impacting Core Microsoft Cloud Services
A total of four cloud security vulnerabilities have been confirmed by Microsoft, one of which hit the 10/10 rating, but two aren’t a million miles short, both being given 9.9 ratings. The final vulnerability remains critical, with a CVSS severity rating of 9.1. Let’s look at them in order of their criticality.
CVE-2025-29813
Critical Rating: 10.0
Azure DevOps Elevation of Privilege Vulnerability
Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. “To exploit this vulnerability,” Microsoft said, “an attacker would first have to have access to the project and swap the short-term token for a long-term one.”
CVE-2025-29972
Critical Rating: 9.9
Azure Storage Resource Provider Spoofing Vulnerability
Microsoft said that this Azure server-side request forgery vulnerability could allow an authorized attacker to perform “spoofing” over a network. In other words, a successful threat actor could exploit this vulnerability to distribute malicious requests that impersonate legitimate services and users.
CVE-2025-29827
Critical Rating: 9.9
Azure Automation Elevation of Privilege Vulnerability
Yet another Azure security vulnerability with an unbelievably high official severity rating of 9.9, this time enabling a successful hacker to elevate privileges across the network thanks to an improper authorization issue in Azure Automation.
CVE-2025-47733
Critical Rating: 9.1
Microsoft Power Apps Information Disclosure Vulnerability
Hooray, not Azure this time, and dropping on the criticality rating scale to a 9.1 as well. This vulnerability, as the name suggests, would allow an attacker to disclose information over the network. It’s another server-side request forgery vulnerability but this time impacting Microsoft Power Apps.
ForbesBeware — These Ransomware Hackers Are Watching You WorkBy Davey Winder
Microsoft Has Already Protected Your Cloud Environment — No Action Required
Here’s the really good news among the bad critical vulnerability disclosure stuff: there is no patch to install, no updates to deploy, and no action required by the user at all. “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take,” Microsoft said with regard to each of the cloud security issues mentioned. That’s because it comes under the remit of what the Microsoft Security Response Center refers to as a commitment to provide comprehensive vulnerability information to customers, by detailing cloud service CVEs once they have been patched internally.
A June 27, 2024 announcement, “Toward greater transparency: Unveiling Cloud Service CVEs,” confirmed that MSRC was on a continuing mission to protect customers, communities and Microsoft itself from emerging security threats. With cloud-based services now an integral part of everyday life, both business and personal, these cloud service CVEs have taken a much more pivotal position in the security lexicon. “In the past,” Microsoft said, “cloud service providers refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required.” With the value of full transparency now properly understood, all that has changed. “We will issue CVEs for critical cloud service vulnerabilities,” Microsoft confirmed, “regardless of whether customers need to install a patch or to take other actions to protect themselves.”
ForbesFBI Warns Of Router Attacks — Is Yours On The List Of 13?By Davey Winder
No longer is it deemed acceptable, and quite rightly so, that if a customer doesn’t need to install a security update, then there is no value in providing them with any detail of what the security issue was in order for them to maintain a secure defensive posture. “As our industry matures and increasingly migrates to cloud-based services,” Microsoft said, “we must be transparent about significant cybersecurity vulnerabilities that are found and fixed.” This aligns with Microsoft’s Secure Future Initiative, which outlines priorities that include implementing new identity protections, enhancing transparency, and ensuring a faster vulnerability response.
Google has also made a move towards a more transparent future regarding cloud CVEs. On November 12, 2024, Google announced it would expand its CVE program so as to issue CVEs for critical Google Cloud vulnerabilities, like Microsoft, even when no customer action or patching is required. ”Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors,”Phil Venables, Google Cloud’s Chief Information Security Officer, said at the time. It’s good to see that both Google and Microsoft are on the same page when it comes to the importance of full transparency as far as cloud vulnerabilities are concerned. It’s something that can help make all of us feel that little bit more secure.