CISA reports active exploitation of Microsoft Partner Center Flaw
Take action: You can't do much about this flaw, it's been handled by Microsoft. But it's weird why they haven't fixed it since November when they reported and fixed the flaw outside of the regular cycle.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a critical vulnerability affecting Microsoft's partner program website has been actively exploited in cyberattacks.
The vulnerability, tracked as CVE-2024-49035 is an improper access control vulnerability that allows threat actors to elevate their privileges on the Microsoft partner center website without authentication. It was initially disclosed and patched in November 2024
According to Microsoft's advisory, the flaw impacts the online version of Microsoft Power Apps.
Microsoft has stated that users of the partner center website do not need to take any action as releases are automatically rolled out over several days. The company appears to be handling the patching process on their end since the vulnerability affects their online service.
Microsoft and CISA have not provided details about when the vulnerability was first exploited or by which threat actors.
