What vulnerability has Microsoft reported in Power Automate?

Microsoft is reporting a critical security vulnerability in its Power Automate platform tracked as CVE-2025-47966 with a CVSS score of 9.8. The flaw affects Microsoft Power Automate, also known as Power Automate Desktop.

What is the severity score for the Microsoft Power Automate vulnerability?

CVE-2025-47966 has been assigned a CVSS score of 9.8, making it a critical security vulnerability that requires immediate attention.

Has Microsoft provided detailed information about the Power Automate vulnerability?

No, Microsoft did not provide specific details about the vulnerability other than stating it enables access to sensitive information and privilege escalation that could lead to complete system compromise.

How has Microsoft addressed the Power Automate vulnerability?

Microsoft has implemented server-side patches to address CVE-2025-47966. Since Power Automate is a cloud-based platform, Microsoft was able to apply the fix directly to their servers without requiring any action from customers.

Has the Power Automate vulnerability been exploited in the wild?

It's not clear whether anyone has exploited this flaw before it was patched. Microsoft has not disclosed any information about active exploitation of CVE-2025-47966.

What makes the Power Automate vulnerability particularly concerning?

The vulnerability is particularly concerning due to its critical CVSS score of 9.8 and its potential to enable complete system compromise through privilege escalation. Additionally, Power Automate is widely used by organizations for business automation, making it an attractive target for attackers.

Advisory

Microsoft reports critical flaw in Power Automate

Q: What can attackers achieve with the Power Automate vulnerability?

The vulnerability enables threat actors to access sensitive information and subsequently escalate their privileges across the target network, potentially leading to complete compromise of affected systems.

Q: Do customers need to take action to fix the Power Automate vulnerability?

No, Microsoft has implemented server-side patches that require no customer intervention. 'The vulnerability documented by this CVE does not require any customer action to fix,' Microsoft stated, as the vulnerability has already been patched on Microsoft servers.

published: June 7, 2025

Take action: You don't need to do anything about this flaw. It's already patched. But be aware that the provider had a flaw. If you have an Enterprise account, reach out for more details about any possible breaches that may have affected you.

Learn More

Microsoft is reporting a critical security vulnerability in its Power Automate platform. Microsoft Power Automate is a low-code cloud-based platform that helps organizations improve productivity by automating repetitive, time-consuming tasks and creating intelligent automations based on generative AI.

The flaw is tracked as CVE-2025-47966 (CVSS score 9.8) and Microsoft Power Automate, also known as Power Automate Desktop. Microsoft did not provide details about the vulnerability other than it enables threat actors to access sensitive information and subsequently escalate their privileges across the target network, potentially leading to complete compromise of affected systems.

Microsoft has implemented server-side patches that require no customer intervention. "The vulnerability documented by this CVE does not require any customer action to fix," writes Microsoft, as the vulnerability has already been patched by developers on Microsoft servers.

It's not clear whether anyone has exploited this flaw before it was patched.

Microsoft reports critical flaw in Power Automate

Read More
Multiple critical vulnerabilities impacting LangChain generative AI framework
Critical remote code execution flaw reported in pgAdmin4
Critical vulnerability reported in Java security framework pac4j
ConfusedComposer vulnerability in reported in Google Cloud Composer …
LeftoverLocals vulnerability leak LLM responses to other users …