Microsoft patches critical flaws in core Cloud Services including Azure DevOps, Automation, Storage, and Power Apps
Take action: You don't have to do anything about these flaws, they are automatically patched in Azure. But it's good to take note of the patches to track your cloud provider.
Learn More
Microsoft has addressed four critical security vulnerabilities that affected several of its core cloud services, including Azure DevOps, Azure Automation, Azure Storage, and Microsoft Power Apps.
Vulnerabilities summary:
- CVE-2025-29813 (CVSS score 10.0) - Elevation of privilege vulnerability affecting Azure DevOps pipelines - allowed attackers with project-level access to swap short-term pipeline job tokens for long-term tokens, effectively extending their access across project environments. Microsoft engineers identified the root cause in how Visual Studio improperly handles pipeline job tokens.
- CVE-2025-29827 (CVSS score 9.9) - An improper authorization vulnerability in Azure Automation services - allowed authenticated users to elevate their privileges over a network due to improper authorization checks.
- CVE-2025-29972 (CVSS score 9.9) - A server-side request forgery (SSRF) vulnerability in Azure Storage Resource Provider - enabled authorized attackers to create requests that impersonated other services or users, potentially leading to unauthorized data access.
- CVE-2025-47733 (CVSS score 9.1) - An information disclosure vulnerability in Microsoft Power Apps - allows unauthenticated attackers to disclose sensitive information via SSRF techniques.
Microsoft reports that no customer action is necessary. All flaws have been mitigated at the platform level, preventing exploitation even before public disclosure: "This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency."
