Microsoft reports and patches vulnerabilities in Azure and AI services
Take action: This is more oof an FYI - you don't have to do anything. It's about being aware of the platform's flaws and the discipline of Microsoft to fix the flaws on Azure.
Learn More
Microsoft has disclosed and patched two critical security vulnerabilities affecting their cloud services:
Critical vulnerabilities:
- CVE-2025-21415 (CVSS score 9.9) - Azure AI Face Service vulnerability. An authentication bypass vulnerability allowing authorized attackers to elevate privileges over a network. Microsoft has confirmed the existence of a proof-of-concept exploit code for this flaw.
- CVE-2025-21396 (CVSS score 7.5) - Microsoft Account vulnerability. A missing authorization flaw enabling unauthorized attackers to elevate privileges over a network.
Both vulnerabilities have been fully mitigated by Microsoft, with no customer action required. This disclosure aligns with Microsoft's June 2024 commitment to transparency regarding cloud service vulnerabilities, regardless of whether customers need to take action.
The patches are part of Microsoft's broader initiative to enhance cybersecurity transparency by issuing CVEs for critical cloud service vulnerabilities.
