Microsoft rejects critical Azure vulnerability report, no CVE issued

A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and blocking a CVE from being issued.

The researcher's report describes a critical privilege escalation flaw that allowed cluster-admin access from the low-privileged "Backup Contributor" role.

Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting new permission checks and failed exploit attempts after disclosure, suggestive of a silent patch.

CERT agrees it's a bug, but Microsoft blocks CVE

Security researcher Justin O'Leary discovered the security flaw this March, and reported it to Microsoft on March 17.

Microsoft rejects critical Azure vulnerability report, no CVE issued

Other newsrooms on this story

Related reading

Microsoft's agentic security system MDASH uncovers four critical Windows RCE…

Other newsrooms on this story

Related reading

Microsoft's agentic security system MDASH uncovers four critical Windows RCE…

Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation

Mystery Microsoft bug leaker keeps the zero-days coming

Microsoft’s new AI system finds 16 Windows flaws, including four critical RCEs

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

Microsoft patch fell short. New Windows flaw exploited