Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
Update, May 11, 2025: This story, originally published May 9, has been updated with more details on the move towards greater cloud Common Vulnerabilities and Exposures transparency by both Microsoft and Google.
security vulnerability emerges that hits the maximum Common Vulnerability Scoring System severity rating of 10. This is one of those times.rated as critical and impacting core cloud services, one of which has reached the unwelcome heights of that 10/10 criticality rating. The good news is that none are known to have been, none have already been publicly disclosed, and as a user, there’s nothing you need to do to protect your environment. A total of four cloud security vulnerabilities have been confirmed by Microsoft, one of which hit the 10/10 rating, but two aren’t a million miles short, both being given 9.9 ratings. The final vulnerability remains critical, with a CVSS severity rating of 9.1. Let’s look at them in order of their criticality.Azure DevOps Elevation of Privilege Vulnerability Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. “To exploit this vulnerability,” Microsoft said, “an attacker would first have to have access to the project and swap the short-term token for a long-term one.”Microsoft said that this Azure server-side request forgery vulnerability could allow an authorized attacker to perform “spoofing” over a network. In other words, a successful threat actor could exploit this vulnerability to distribute malicious requests that impersonate legitimate services and users.Yet another Azure security vulnerability with an unbelievably high official severity rating of 9.9, this time enabling a successful hacker to elevate privileges across the network thanks to an improper authorization issue in Azure Automation.Hooray, not Azure this time, and dropping on the criticality rating scale to a 9.1 as well. This vulnerability, as the name suggests, would allow an attacker to disclose information over the network. It’s another server-side request forgery vulnerability but this time impacting Microsoft Power Apps. Here’s the really good news among the bad critical vulnerability disclosure stuff: there is no patch to install, no updates to deploy, and no action required by the user at all. “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take,” Microsoft said with regard to each of the cloud security issues mentioned. That’s because it comes under the remit of what the Microsoft Security Response Center refers to as a commitment to provide comprehensive vulnerability information to customers, by detailing cloud service CVEs once they have been patched internally. A June 27, 2024 announcement, “Toward greater transparency: Unveiling Cloud Service CVEs,” confirmed that MSRC was on a continuing mission to protect customers, communities and Microsoft itself from emerging security threats. With cloud-based services now an integral part of everyday life, both business and personal, these cloud service CVEs have taken a much more pivotal position in the security lexicon. “In the past,” Microsoft said, “cloud service providers refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required.” With the value of full transparency now properly understood, all that has changed. “We will issue CVEs for critical cloud service vulnerabilities,” Microsoft confirmed, “regardless of whether customers need to install a patch or to take other actions to protect themselves.”No longer is it deemed acceptable, and quite rightly so, that if a customer doesn’t need to install a security update, then there is no value in providing them with any detail of what the security issue was in order for them to maintain a secure defensive posture. “As our industry matures and increasingly migrates to cloud-based services,” Microsoft said, “we must be transparent about significant cybersecurity vulnerabilities that are found and fixed.” This aligns with Microsoft’s Secure Future Initiative, which outlines priorities that include implementing new identity protections, enhancing transparency, and ensuring a faster vulnerability response. Google has also made a move towards a more transparent future regarding cloud CVEs. On November 12, 2024, Google announced it would expand its CVE program so as to issue CVEs for critical Google Cloud vulnerabilities, like Microsoft, even when no customer action or patching is required. ”Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors,”Phil Venables, Google Cloud’s Chief Information Security Officer, said at the time. It’s good to see that both Google and Microsoft are on the same page when it comes to the importance of full transparency as far as cloud vulnerabilities are concerned. It’s something that can help make all of us feel that little bit more secure.
Azure Microsoft Azure Microsoft Azure Security Microsoft Azure Vulnerability Cloud Computing Security Cloud Vulnerability Cloud Security Warning Devops
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
A gravitational war next door: The Large Magellanic Cloud is gradually destroying the Small Magellanic CloudRobert Lea is a science journalist in the U.K. whose articles have been published in Physics World, New Scientist, Astronomy Magazine, All About Space, Newsweek and ZME Science. He also writes about science communication for Elsevier and the European Journal of Physics. Rob holds a bachelor of science degree in physics and astronomy from the U.K.
Read more »
Why 10-10-10 Is the Best Marathon Pacing StrategyJeff and Aly talk through the three separate blocks of the 10-10-10 marathon pacing strategy to help you understand it and use it effectively on race day.
Read more »
Microsoft reports strong cloud growth in Q3 earningsMicrosoft has reported strong cloud revenues for its Q3 fiscal 2025 earnings. Xbox hardware is down though, and Windows OEM revenue is up.
Read more »
Microsoft reports strong Q3 revenue, increased demand for cloud and AIBusiness Insider tells the global tech, finance, stock market, media, economy, lifestyle, real estate, AI and innovative stories you want to know.
Read more »
Amazon vs Microsoft: Who’s Winning the AI Cloud War in 2025?Market Analysis by covering: Microsoft Corporation, Alphabet Inc Class A, Amazon.com Inc, Meta Platforms Inc. Read 's Market Analysis on Investing.com
Read more »
Microsoft Confirms Critical 10/10 Cloud Security VulnerabilityMicrosoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
Read more »