Microsoft has patched four critical security vulnerabilities affecting several core cloud services including Azure DevOps, Azure Automation, Azure Storage, and Microsoft Power Apps.
These high-severity flaws, disclosed on May 9, 2025, could potentially allow attackers to escalate privileges and compromise cloud environments, though Microsoft confirms none have been exploited in the wild.
The vulnerabilities underscore the rising complexity and interconnection of cloud platforms, emphasizing the need for strong security measures and ongoing monitoring.
.png
)
Critical Azure DevOps and Automation Vulnerabilities
The most severe vulnerability, CVE-2025-29813, received a perfect CVSS score of 10.0, affecting Azure DevOps pipelines.
This critical elevation of privilege flaw allowed attackers with project-level access to swap short-term pipeline job tokens for long-term tokens, effectively extending their access across project environments.
Microsoft engineers identified the root cause in how Visual Studio improperly handles pipeline job tokens, implementing a correction in token handling logic to prevent privilege escalation.
Azure Automation services were impacted by CVE-2025-29827 (CVSS 9.9), where improper authorization checks allowed authenticated users to elevate their privileges over a network.
This vulnerability posed particular risks in multi-tenant environments, as it exploited weaknesses in the authorization framework using CWE-285 (Improper Authorization).
Another critical vulnerability, CVE-2025-29972 (CVSS 9.9), exploited a server-side request forgery (SSRF) vector within Azure Storage Resource Provider.
This spoofing vulnerability enabled authorized attackers to craft requests that impersonated other services or users, potentially leading to unauthorized data access.
The fourth vulnerability, CVE-2025-47733 (CVSS 9.1), affected Microsoft Power Apps and could allow unauthorized attackers to disclose sensitive information via SSRF techniques.
Unlike the other vulnerabilities, this one required no prior authentication, significantly increasing its potential impact if left unpatched.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-29813 | Azure DevOps (Visual Studio) | Elevation of Privilege | Access to project (no prior privileges required); attacker must swap short-term token for long-term token | 10.0 (Critical) |
| CVE-2025-29827 | Azure Automation | Elevation of Privilege | Authorized attacker with low privileges | 9.9 (Critical) |
| CVE-2025-29972 | Azure Storage Resource Provider | Spoofing (SSRF) | Authorized attacker with low privileges | 9.9 (Critical) |
| CVE-2025-47733 | Microsoft Power Apps | Information Disclosure (SSRF) | None (unauthorized attacker; no prior privileges required) | 9.1 (Critical) |
No User Action Required
Despite the severity of these vulnerabilities-three carrying CVSS scores above 9.0-Microsoft has emphasized that no customer action is necessary.
All flaws have been completely mitigated at the platform level, preventing exploitation even before public disclosure.
“This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency,” Microsoft stated in their advisory.
These disclosures align with Microsoft’s ongoing cloud security transparency initiative launched in June 2024. The company now publishes CVEs for critical cloud service vulnerabilities regardless of whether customers need to take action.
This approach represents a significant shift in how cloud service providers handle vulnerability disclosures.
Traditionally, cloud platforms only disclosed vulnerabilities requiring customer action, but Microsoft’s initiative aims to improve overall industry security through greater transparency regarding cloud infrastructure vulnerabilities.
Organizations remain vigilant about cloud security postures despite automatic mitigations, as cloud environments continue to be prime targets for sophisticated threat actors.
Tax Scams Are Getting Smarter – Check Malicious Domains With Domain Research Suite
