The company mitigates critical failures in Azure and Power Apps that highlight the structural risks of shared cloud environments.
Microsoft has announced the resolution of four critical vulnerabilities affecting its cloud services, including Azure DevOps, Azure Automation, Azure Storage, and Power Apps. One of these flaws, recorded as CVE-2025-29813, has been assigned the highest severity rating according to the CVSS system: 10 out of 10, making it one of the most concerning vulnerabilities recently identified in cloud environments.
This flaw directly affected Visual Studio and its management of execution tokens (pipeline job tokens) in projects hosted on Azure DevOps. An attacker with minimal access could swap a short-lived token for a long-lived one, allowing persistent access and privilege escalation within the compromised project.
In addition, Microsoft has identified three other equally critical vulnerabilities:
- CVE-2025-29827 (CVSS 9.9), affecting Azure Automation. An authorization issue (CWE-285) allowed authenticated users to escalate their privileges in multi-user environments, fully compromising runbooks and automated processes.
- CVE-2025-29972 (CVSS 9.9), a case of server-side request forgery (SSRF) in the Azure Storage Resource Provider service. This vulnerability allowed the impersonation of internal services and unauthorized access to other resources or identities.
- CVE-2025-47733 (CVSS 9.1), another SSRF affecting Microsoft Power Apps. Unlike the previous vulnerabilities, this flaw did not require authentication, enabling the exfiltration of information through simple manipulated requests.
According to the company, none of these vulnerabilities have been actively exploited, and all have already been mitigated on the provider side, so no direct intervention is required from users.
However, cybersecurity experts recommend that organizations follow a series of best practices:
- Review activity logs in pipelines, runbooks, and storage for suspicious access or misuse of tokens.
- Strictly apply the principle of least privilege for accounts, service identities (service principals), and subscriptions.
- Separate development and production environments to prevent limited compromises from escalating to critical infrastructures.
- Monitor alerts from tools such as Defender for Cloud or SIEM solutions that help detect patterns associated with SSRF or abuse of temporary credentials.
This new incident underscores the inherent risks of multi-tenant environments in the cloud, where multiple customers share infrastructure under the same system. Secure management of identities, permissions, and internal communications between services thus becomes a fundamental pillar of modern cybersecurity.
In line with its “Secure Future” initiative, Microsoft has reinforced its commitment to transparency in vulnerability disclosure. Since mid-2024, the company has been publishing CVE identifiers for critical flaws in its cloud services, even when no customer intervention is required. This practice has also recently been adopted by Google in Google Cloud, aiming to promote a culture of shared and proactive security.
These decisions reflect a significant shift in the industry, which has historically tended to hide mitigated flaws unless they posed an immediate risk to users. Today, both Microsoft and Google agree that complete and timely information about vulnerabilities is essential for improving the defensive preparedness of the digital ecosystem.
Sources: MITRE CVE, Microsoft Security Response Center, Forbes, Hispasec Una al Día.
MITRE Corporation. CVE-2025-29813. Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29813
MITRE Corporation. CVE-2025-29827. Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29827
MITRE Corporation. CVE-2025-29972. Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29972
MITRE Corporation. CVE-2025-47733. Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47733