Microsoft Patches Critical Elevation of Privilege Flaws in Azure Services
Take action: You don't have to take action on these flaws. Microsoft has already patched them. But take note of the flaws when evaluating your vendors.
Learn More
Microsoft patched three critical security vulnerabilities within its Azure cloud environment on February 5, 2026, affecting core services used for multi-cloud management and content delivery.
The vulnerabilities could have allowed unauthenticated attackers to gain unauthorized access or elevate privileges across serverless computing and hybrid cloud infrastructures.
Vulnerabilities summary:
- CVE-2026-24300 (CVSS score 9.8) - An elevation of privilege vulnerability in Azure Front Door caused by improper access control (CWE-284). Attackers can send specially crafted network requests to the CDN endpoint to bypass security checks without any prior authentication. This allows an unauthenticated user to gain high-level permissions, leading to a total compromise of the service's confidentiality, integrity, and availability.
- CVE-2026-24302 (CVSS score 8.6) - An elevation of privilege vulnerability in Azure Arc that exploits improper access control mechanisms. The flaw allows a network-based attacker to escalate their permissions within the multi-cloud management framework without needing any prior credentials. Because the scope is changed, the attacker could potentially influence resources outside the immediate vulnerable component.
- CVE-2026-21532 (CVSS score 8.2) - An information disclosure vulnerability in Azure Functions resulting from the exposure of sensitive information to unauthorized actors (CWE-200). Attackers can use network-based probes to extract protected data from the serverless environment. This bypasses standard data protection boundaries, though it does not allow for direct code execution or system modification.
A successful exploit of Azure Front Door could have compromised global content delivery, and the Azure Arc flaw exposed the management of hybrid and multi-cloud environments. The Azure Functions vulnerability exposed a risk to sensitive data processed in serverless workflows, potentially exposing API keys, internal configuration details, or customer data processed by the functions.
Microsoft has patched these vulnerabilities through server-side updates to the Azure platform. Because these are cloud-service flaws, administrators and users do not need to take any manual action or install patches to protect their instances.
