Microsoft Confirms Critical 10/10 Cloud Security Vulnerability
It's not often that a truly critical security vulnerability emerges that hits the maximum Common Vulnerability Scoring System (CVSS) severity rating of 10. This is one of those times. Microsoft has confirmed multiple vulnerabilities rated as critical and impacting core cloud services, one of which has reached the unwelcome heights of that 10/10 criticality rating. The good news is that none are known to have been exploited in the wild, none have already been publicly disclosed, and as a user, there's nothing you need to do to protect your environment.
Critical Security Vulnerabilities Impacting Core Microsoft Cloud Services
A total of four cloud security vulnerabilities have been confirmed by Microsoft, one of which hit the 10/10 rating, but two aren't a million miles short, both being given 9.9 ratings. The final vulnerability remains critical, with a CVSS severity rating of 9.1. Let's take a closer look at each of them in order of their criticality.
CVE-2025-29813 Critical Rating: 10.0 - Azure DevOps Elevation of Privilege Vulnerability
Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. "To exploit this vulnerability," Microsoft said, "an attacker would first have to have access to the project and swap the short-term token for a long-term one."
CVE-2025-29972 Critical Rating: 9.9 - Azure Storage Resource Provider Spoofing Vulnerability
Microsoft said that this Azure server-side request forgery vulnerability could allow an authorized attacker to perform "spoofing" over a network. In other words, a successful threat actor could exploit this vulnerability to distribute malicious requests that impersonate legitimate services and users.
CVE-2025-29827 Critical Rating: 9.9 - Azure Automation Elevation of Privilege Vulnerability
Yet another Azure security vulnerability with an unbelievably high official severity rating of 9.9, this time enabling a successful hacker to elevate privileges across the network thanks to an improper authorization issue in Azure Automation.
CVE-2025-47733 Critical Rating: 9.1 - Microsoft Power Apps Information Disclosure Vulnerability
This vulnerability, as the name suggests, would allow an attacker to disclose information over the network. It's another server-side request forgery vulnerability but this time impacting Microsoft Power Apps.
No Action Required for Users
There is no patch to install, no updates to deploy, and no action required by the user at all. "This vulnerability has already been fully mitigated by Microsoft," they said with regard to each of the cloud security issues mentioned. That's because it comes under the remit of what the Microsoft Security Response Center refers to as a commitment to provide comprehensive vulnerability information to customers, by detailing cloud service CVEs once they have been patched internally.
A New Era of Transparency
“In the past,” Microsoft said, “cloud service providers refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required.” With the value of full transparency now properly understood, all that has changed. "We will issue CVEs for critical cloud service vulnerabilities," Microsoft confirmed, "regardless of whether customers need to install a patch or to take other actions to protect themselves."