Microsoft confirms critical cloud vulnerabilities reaching severity of 10
- Microsoft confirmed critical vulnerabilities affecting core cloud services on May 9, 2025.
- A vulnerability with a critical rating of 10 has been identified in Azure DevOps, along with other high-severity issues.
- Despite the serious nature of these vulnerabilities, no user action is required as Microsoft has already implemented mitigations.
Microsoft has reported several significant cloud security vulnerabilities affecting its core services on May 9, 2025. This disclosure, which includes a vulnerability rated with a maximum critical rating of 10, highlights a growing transparency effort by tech companies concerning cybersecurity threats. All vulnerabilities confirmed by Microsoft, including issues related to Azure DevOps, Azure Storage, and Azure Automation, have not been exploited publicly, and users are not required to take any action. This marks a pivotal change in how cloud service providers communicate and respond to security vulnerabilities. The critical vulnerability, designated as CVE-2025-29813, involves a hijacking issue due to improper handling of pipeline tokens in Azure DevOps, risking unauthorized access to projects. Other notable vulnerabilities include CVE-2025-29972 and CVE-2025-29827, both rated at 9.9, relating to server-side request forgery and privilege escalation in Azure services respectively. The reported issues, particularly the highest-rated one, have raised concerns within the cybersecurity community about the integrity of cloud environments. Microsoft has stressed that despite the critical nature of these vulnerabilities, there is no immediate risk to users since these issues have already been mitigated. This approach suggests an industry shift towards proactive vulnerability management, wherein even resolved issues receive public disclosure to keep users informed. The company's Secure Future Initiative aims to increase transparency in reporting vulnerabilities and further enhance identity protection measures. In parallel, Google has also moved towards similar practices by announcing its expansion of CVEs for critical vulnerabilities in its Google Cloud services. This dual commitment from both tech giants underscores a broader trend towards transparency regarding cybersecurity, which serves to establish trust and enhance security measures across cloud-based services. Users of these platforms can be reassured that while vulnerabilities are a persistent concern, the responsiveness and communication from these leading companies indicate improvements in safeguarding customer interests.