Microsoft has confirmed the existence of multiple critical security vulnerabilities impacting its core cloud services, including one that has received the maximum Common Vulnerability Scoring System (CVSS) severity rating of 10.0.
Despite the critical nature of these flaws, Microsoft reports that none of the confirmed vulnerabilities are known to have been exploited in the wild, and none had been publicly disclosed prior to their confirmation. Importantly, users do not need to take any action to protect themselves from these vulnerabilities, as Microsoft has already implemented mitigations.
A total of four cloud security vulnerabilities have been confirmed by Microsoft. These include CVE-2025-29813, an Azure DevOps Elevation of Privilege Vulnerability with a CVSS rating of 10.0; CVE-2025-29972, an Azure Storage Resource Provider Spoofing Vulnerability rated 9.9; CVE-2025-29827, an Azure Automation Elevation of Privilege Vulnerability also rated 9.9; and CVE-2025-47733, a Microsoft Power Apps Information Disclosure Vulnerability with a 9.1 rating.
The most severe vulnerability, CVE-2025-29813, is an Azure DevOps pipeline token hijacking issue. Microsoft explained it stems from Visual Studio improperly handling pipeline job tokens. “To exploit this vulnerability,” Microsoft said, “an attacker would first have to have access to the project and swap the short-term token for a long-term one,” potentially extending their access.
CVE-2025-29972, the Azure Storage Resource Provider Spoofing Vulnerability, is an Azure server-side request forgery flaw. Microsoft stated this could allow an authorized attacker to perform “spoofing” over a network, enabling a successful threat actor to distribute malicious requests that impersonate legitimate services and users.
The Azure Automation Elevation of Privilege Vulnerability, CVE-2025-29827, is due to an improper authorization issue in Azure Automation. A successful exploit could allow a hacker to elevate privileges across the network.
The fourth vulnerability, CVE-2025-47733, affects Microsoft Power Apps and is an information disclosure flaw. This server-side request forgery vulnerability could allow an attacker to disclose information over the network.
Microsoft has emphasized that all these vulnerabilities have already been fully mitigated by the company. “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take,” Microsoft said regarding each of the cloud security issues.
These disclosures are part of a broader commitment to transparency. On June 27, 2024, the Microsoft Security Response Center (MSRC) announced a commitment to greater transparency regarding cloud Common Vulnerabilities and Exposures (CVEs), detailing cloud service CVEs once they have been patched internally.
Previously, Microsoft noted, “cloud service providers refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required.” However, with the value of full transparency now recognized, Microsoft confirmed, “We will issue CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.”
This transparency initiative aligns with Microsoft’s Secure Future Initiative, which prioritizes implementing new identity protections, enhancing transparency, and ensuring a faster vulnerability response. “As our industry matures and increasingly migrates to cloud-based services,” Microsoft stated, “we must be transparent about significant cybersecurity vulnerabilities that are found and fixed.”
Google has also made a similar move towards increased cloud vulnerability transparency. On November 12, 2024, Google announced it would expand its CVE program to issue CVEs for critical Google Cloud vulnerabilities, even when no customer action is needed. Phil Venables, Google Cloud’s Chief Information Security Officer, said at the time, “Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors.”
This story was originally published on May 9, 2025, and was updated on May 11, 2025, to include more details on the cloud CVE transparency moves by both Microsoft and Google.
