Critical Azure and Power Apps Vulnerabilities Allow Privilege Escalation for Attackers

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power Apps platform that could allow attackers to escalate privileges, perform spoofing attacks, or access sensitive information.

Security researchers discovered these high-severity flaws, with one receiving a maximum CVSS score of 10.0, underscoring the potential impact on enterprise environments.

The most severe vulnerability, CVE-2025-29813, received a perfect CVSS score of 10.0 and affects Azure DevOps pipelines.

The flaw stems from improper handling of pipeline job tokens within Visual Studio.

Attackers with initial access to a project could exploit this vulnerability to swap short-term pipeline tokens for long-term ones, effectively extending their access and privileges within the environment.

“An attacker who successfully exploited this vulnerability could extend their access to a project,” Microsoft explained in its security bulletin. The vulnerability has been classified under CWE-302 (Authentication Bypass by Assumed-Immutable Data).

Azure DevOps Pipeline Token Vulnerability

Alongside the Azure DevOps flaw, Microsoft addressed three additional critical vulnerabilities:

CVE-2025-29827 affects Azure Automation and received a CVSS score of 9.9. This improper authorization vulnerability allows authenticated attackers to elevate their privileges across a network. The vulnerability is classified under CWE-285 (Improper Authorization).

CVE-2025-29972, which also scored 9.9, involves a server-side request forgery (SSRF) vulnerability in the Azure Storage Resource Provider.

Attackers could exploit this flaw to perform spoofing attacks by sending crafted requests that impersonate other services or users.

The fourth vulnerability, CVE-2025-47733, affects Microsoft Power Apps and received a CVSS score of 9.1.

Unlike the others, this SSRF vulnerability could allow even unauthorized attackers to disclose information over a network.

Despite the severity of these vulnerabilities, Microsoft has emphasized that no user action is necessary.

All four flaws have been fully mitigated at the platform level before public disclosure, preventing any potential exploitation.

“The vulnerability documented by this CVE requires no customer action to resolve,” Microsoft noted in each security bulletin.

“This vulnerability has already been fully mitigated by Microsoft.”

Other Critical Cloud Service Vulnerabilities

This cluster of critical vulnerabilities follows a trend of security issues in cloud environments. Earlier this year, Microsoft addressed a Windows CLFS zero-day vulnerability (CVE-2025-29824) that was actively exploited in the wild.

In March, the company released protection measures against the Next.js CVE-2025-29927 vulnerability.

Security researchers have previously uncovered other significant Azure vulnerabilities, including the “AutoWarp” flaw in Azure Automation Service that allowed unauthorized access to other customer accounts, and issues with Azure Shared Key authorization that could be exploited to steal access tokens.

Microsoft continues to strengthen its cloud security posture through regular updates and transparent disclosure of vulnerabilities, even when patched proactively.

Security experts recommend that organizations maintain vigilant monitoring of cloud environments despite these automatic mitigations.