Microsoft has released patches for two critical security vulnerabilities affecting Azure AI Face Service and Microsoft Account, which could enable attackers to escalate privileges under specific conditions.
Microsoft has released patches for two critical security vulnerabilities affecting Azure AI Face Service and Microsoft Account, which could enable attackers to escalate privileges under specific conditions.
Microsoft has released patches for two critical security vulnerabilities affecting Azure AI Face Service and Microsoft Account, which could enable attackers to escalate privileges under specific conditions.
The vulnerabilities are:
- CVE-2025-21396 (CVSS score: 7.5) – A privilege escalation flaw in Microsoft Account caused by missing authorization, discovered by security researcher Sugobet.
- CVE-2025-21415 (CVSS score: 9.9) – An authentication bypass issue in Azure AI Face Service that allows an authorized attacker to escalate privileges over a network, reported by an anonymous researcher.
Microsoft has acknowledged the existence of proof-of-concept (PoC) exploit code for CVE-2025-21415 but assures that both vulnerabilities have been fully mitigated, requiring no action from customers.
These advisories align with Microsoft's broader commitment to transparency, ensuring critical cloud service vulnerabilities are disclosed even if no user intervention is needed. The company emphasized that as industries shift toward cloud-based services, openly sharing security flaws and fixes strengthens overall cybersecurity resilience and protects critical infrastructure.
