Microsoft confirms 10\/10 Azure vulnerability.<\/p>\n
SOPA Images\/LightRocket via Getty Images<\/p>\n
Update, May 11, 2025: This story, originally published May 9, has been updated with more details on the move towards greater cloud Common Vulnerabilities and Exposures (CVE) transparency by both Microsoft and Google.<\/p>\n
It\u2019s not often that a truly critical<\/a> security vulnerability emerges that hits the maximum Common Vulnerability Scoring System severity rating of 10. This is one of those times.<\/p>\n Microsoft has confirmed multiple vulnerabilities<\/a> rated as critical and impacting core cloud services, one of which has reached the unwelcome heights of that 10\/10 criticality rating. The good news is that none are known to have been exploited in the wild<\/a>, none have already been publicly disclosed, and as a user, there\u2019s nothing you need to do to protect your environment.<\/p>\n ForbesDark Web Alert \u2014 2.9 Billion Passwords, 14 Million Credit Cards StolenBy Davey Winder<\/a> A total of four cloud security vulnerabilities have been confirmed by Microsoft, one of which hit the 10\/10 rating, but two aren\u2019t a million miles short, both being given 9.9 ratings. The final vulnerability remains critical, with a CVSS severity rating of 9.1. Let\u2019s look at them in order of their criticality.<\/p>\n CVE-2025-29813<\/a> Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. \u201cTo exploit this vulnerability,\u201d Microsoft said, \u201can attacker would first have to have access to the project and swap the short-term token for a long-term one.\u201d<\/p>\n CVE-2025-29972<\/a> Microsoft said that this Azure server-side request forgery vulnerability could allow an authorized attacker to perform \u201cspoofing\u201d over a network. In other words, a successful threat actor could exploit this vulnerability to distribute malicious requests that impersonate legitimate services and users.<\/p>\n CVE-2025-29827<\/a> Yet another Azure security vulnerability with an unbelievably high official severity rating of 9.9, this time enabling a successful hacker to elevate privileges across the network thanks to an improper authorization issue in Azure Automation.<\/p>\n CVE-2025-47733<\/a> Hooray, not Azure this time, and dropping on the criticality rating scale to a 9.1 as well. This vulnerability, as the name suggests, would allow an attacker to disclose information over the network. It\u2019s another server-side request forgery vulnerability but this time impacting Microsoft Power Apps.<\/p>\n
\nCritical Security Vulnerabilities Impacting Core Microsoft Cloud Services<\/p>\n
Critical Rating: 10.0
Azure DevOps Elevation of Privilege Vulnerability<\/p>\n
Critical Rating: 9.9
Azure Storage Resource Provider Spoofing Vulnerability<\/p>\n
Critical Rating: 9.9
Azure Automation Elevation of Privilege Vulnerability<\/p>\n
Critical Rating: 9.1
Microsoft Power Apps Information Disclosure Vulnerability<\/p>\n