On May 9, 2025, Microsoft disclosed and patched four critical security vulnerabilities affecting key cloud services, including Azure DevOps, Azure Automation, Azure Storage, and Microsoft Power Apps. These vulnerabilities, if exploited, could have allowed attackers to escalate privileges and compromise cloud environments. Microsoft confirmed that none of these vulnerabilities had been exploited in the wild prior to the patches.
Azure DevOps Vulnerability (CVE-2025-29813):
The most severe of these vulnerabilities, identified as CVE-2025-29813, received a perfect CVSS score of 10.0. This flaw resided in Azure DevOps pipelines and allowed attackers with project-level access to exchange short-term pipeline job tokens for long-term tokens. This token swap could have extended their access across project environments, leading to potential unauthorized actions. The root cause was traced to how Visual Studio improperly handled pipeline job tokens. Microsoft addressed this by correcting the token handling logic to prevent such privilege escalations.
Azure Automation Vulnerability (CVE-2025-29827):
Another critical vulnerability, CVE-2025-29827, with a CVSS score of 9.9, affected Azure Automation services. This flaw involved improper authorization checks, allowing authenticated users to elevate their privileges over a network. The vulnerability was particularly concerning in multi-tenant environments, as it exploited weaknesses in the authorization framework. Microsoft implemented stricter authorization checks to mitigate this issue.
Azure Storage Resource Provider Vulnerability (CVE-2025-29972):
CVE-2025-29972, also with a CVSS score of 9.9, was a spoofing vulnerability within the Azure Storage Resource Provider. This server-side request forgery (SSRF) flaw enabled authorized attackers to craft requests that impersonated other services or users, potentially leading to unauthorized data access. Microsoft addressed this by enhancing request validation mechanisms to prevent such spoofing attempts.
Microsoft Power Apps Vulnerability (CVE-2025-47733):
The fourth vulnerability, CVE-2025-47733, with a CVSS score of 9.1, affected Microsoft Power Apps. This SSRF vulnerability could have allowed unauthorized attackers to disclose sensitive information without any prior authentication. The lack of authentication requirement significantly increased its potential impact. Microsoft mitigated this by implementing stricter access controls and input validation.
No User Action Required:
Despite the severity of these vulnerabilities, Microsoft emphasized that no customer action is necessary. All flaws have been fully mitigated at the platform level, preventing exploitation even before public disclosure. This proactive approach aligns with Microsoft’s ongoing cloud security transparency initiative launched in June 2024, where the company publishes CVEs for critical cloud service vulnerabilities regardless of whether customers need to take action.
Historical Context:
This isn’t the first time Microsoft has addressed significant vulnerabilities in its cloud services. In August 2021, a misconfiguration in Microsoft Power Apps portals exposed 38 million records across 47 organizations, including personal information used for COVID-19 contact tracing and vaccination appointments. The issue stemmed from OData APIs being configured to allow public access, leading to unintended data exposure. Microsoft responded by updating documentation and providing tools to help customers identify and rectify such misconfigurations.
In January 2025, three security vulnerabilities in Dynamics 365 and Power Apps Web API were patched. These flaws could have resulted in data exposure and were discovered by cybersecurity company Stratus Security. The vulnerabilities involved lack of access control on the OData Web API Filter and the FetchXML API, allowing unauthorized access to sensitive information. Microsoft addressed these issues by enhancing access controls and implementing stricter validation mechanisms.
Security Best Practices:
To mitigate risks associated with such vulnerabilities, organizations should adopt the following security best practices:
1. Implement Multi-Factor Authentication (MFA): Adding an extra layer of security beyond passwords can significantly reduce the risk of unauthorized access.
2. Use Environment-Level Security: Isolating resources based on their purpose and intended users helps prevent accidental data exposure or unintended access between environments.
3. Apply Role-Based Access Control (RBAC): Restricting access to users based on their roles within the organization ensures that each user only interacts with the information necessary for their role.
4. Secure Data Storage and Transmission: Ensuring that data is securely stored and transmitted using encryption protocols like TLS protects data from unauthorized access.
5. Apply Data Loss Prevention (DLP) Policies: Monitoring and restricting the sharing of sensitive information helps prevent accidental data leaks.
6. Regularly Monitor and Audit Activity: Implementing monitoring and auditing tools allows organizations to track user activities and identify unusual or suspicious behavior.
7. Keep Systems Updated: Regularly applying security patches and staying informed about the latest updates helps protect systems from known vulnerabilities.
8. Limit the Use of Custom Code: Minimizing custom code reduces the attack surface of applications and potential security risks.
9. Educate Users on Security Best Practices: Training employees on secure password practices, phishing threats, and proper data handling can significantly reduce security risks.
10. Develop Incident Response Plans: Having a plan in place outlines the steps to take in the event of a security breach, helping organizations respond quickly and effectively.
By adhering to these best practices, organizations can enhance the security of their cloud environments and protect sensitive data from potential threats.
