On May 9, 2025, Microsoft disclosed four critical security vulnerabilities affecting key cloud services, including Azure DevOps, Azure Automation, Azure Storage, and Microsoft Power Apps. These vulnerabilities, though not exploited in the wild, posed serious risks such as privilege escalation, unauthorized access, and data exposure across cloud environments. Microsoft confirmed that all flaws have been mitigated at the platform level, and no customer action is required.

The most severe flaw, CVE-2025-29813, received a CVSS score of 10.0 and impacted Azure DevOps pipelines. It allowed attackers with project-level access to escalate privileges by exchanging short-term job tokens for long-term ones, granting extended access across environments. Microsoft addressed the issue by correcting the token handling logic within Visual Studio.

CVE-2025-29827, rated 9.9, affected Azure Automation and stemmed from improper authorization checks. It allowed authenticated users to escalate privileges over the network, posing higher risks in multi-tenant scenarios. Similarly, CVE-2025-29972, another 9.9-rated flaw, exploited a server-side request forgery (SSRF) vulnerability in Azure Storage, allowing attackers to impersonate other services or users.

The fourth vulnerability, CVE-2025-47733 (CVSS 9.1), affected Microsoft Power Apps. It enabled unauthenticated attackers to perform SSRF attacks and potentially disclose sensitive information. This was particularly concerning due to the lack of authentication required to exploit it.

These disclosures are part of Microsoft’s ongoing cloud security transparency initiative, launched in 2024, which commits to reporting all critical vulnerabilities—even those that require no user action. This shift in disclosure policy aims to raise awareness and strengthen industry-wide cloud security practices, as cloud environments remain high-value targets for advanced threat actors.