Microsoft Patches Critical Vulnerabilities in Azure AI Face Service and Microsoft Account

2025-02-07

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure AI? This article is for you!

 

Microsoft has released patches for two critical security vulnerabilities affecting Azure AI Face Service and Microsoft Account, which could allow privilege escalation. The Azure AI Face Service vulnerability, with a CVSS score of 9.9, involves an authentication bypass that could enable privilege elevation, while the Microsoft Account vulnerability involves missing authorization. Both vulnerabilities have been mitigated, and no action is required from customers.

 

Key Facts

Risks:

Privilege Escalation, Cloud Service Provider Flaw

Keywords:

Microsoft Azure, Azure AI Face Service, CVE-2025-21415, CVE-2025-21396, Privilege Escalation, Security Patches

CVE:

CVE-2025-21396; CVE-2025-21415

Affected:

Azure AI Face Service, Microsoft Account

 

Article Body

Microsoft Addresses Critical Vulnerabilities in Azure AI Face Service and Microsoft Account

Microsoft has released security patches to fix two critical vulnerabilities affecting the Azure AI Face Service and Microsoft Account. These vulnerabilities posed significant risks of privilege escalation, which could potentially be exploited by malicious actors.

Overview of Vulnerabilities

  1. Azure AI Face Service Vulnerability (CVE-2025-21415)
  2. Severity: Critical, with a CVSS score of 9.9.
  3. Issue: The vulnerability involves an authentication bypass by spoofing. This flaw allows an attacker with authorized access to elevate their privileges over a network, thus gaining unauthorized control.

  4. Discovery: Credited to an anonymous researcher who reported the flaw to Microsoft.

  5. Microsoft Account Vulnerability (CVE-2025-21396)

  6. Severity: Critical, with a CVSS score of 7.5.
  7. Issue: This vulnerability is due to missing authorization checks, which could allow an unauthorized attacker to elevate privileges over a network.
  8. Discovery: A security researcher known as Sugobet discovered this vulnerability.

Impact and Mitigation

Both vulnerabilities have been fully mitigated by Microsoft. Importantly, no action is required from customers as the patches have been applied. Microsoft has acknowledged the existence of a proof-of-concept exploit code for the Azure AI Face Service vulnerability, highlighting the potential risk had these issues not been addressed promptly.

These security updates underscore the importance of staying informed about emerging threats and ensuring that systems are regularly updated to protect against exploitation. For organizations using Azure AI services, this serves as a crucial reminder of the need for continuous monitoring and proactive security measures.

 

Read More

https://thehackernews.com/2025/02/microsoft-patches-critical-azure-ai.html?m=1