Microsoft has released security updates to address two critical vulnerabilities affecting Azure AI Face Service and Microsoft Account, which could allow attackers to escalate privileges under certain conditions.
Key Vulnerabilities Fixed
1️⃣ CVE-2025-21396 (CVSS Score: 7.5) – Microsoft Account Elevation of Privilege Vulnerability
2️⃣ CVE-2025-21415 (CVSS Score: 9.9) – Azure AI Face Service Elevation of Privilege Vulnerability
According to Microsoft’s advisory, CVE-2025-21415 is a high-risk authentication bypass flaw in Azure AI Face Service that allows an authorized attacker to escalate privileges over a network. The vulnerability was reported by an anonymous security researcher.
Meanwhile, CVE-2025-21396 results from missing authorization checks, enabling unauthorized attackers to elevate privileges remotely. This flaw was reported by a researcher known as Sugobet.
Proof-of-Concept (PoC) and Microsoft’s Response
Microsoft has confirmed the existence of a proof-of-concept (PoC) exploit for CVE-2025-21415. However, the company assures that both vulnerabilities have been fully mitigated, requiring no customer action.
Microsoft’s Transparency on Cloud Security
These advisories align with Microsoft’s commitment to transparency in cloud security, ensuring customers are informed about significant threats—even if no direct action is needed.
"As our industry shifts towards cloud-based services, transparency about cybersecurity vulnerabilities is essential. By openly sharing details on discovered and resolved threats, Microsoft and its partners can enhance security and protect critical infrastructure," the company stated in a June 2024 update.
Final Thoughts
With a CVSS score of 9.9, the Azure AI Face Service vulnerability posed a severe risk. Microsoft’s rapid response and proactive patching highlight the importance of continuous monitoring and security updates in cloud environments.
🔹 Stay Updated: Always ensure your cloud services are up to date with the latest security patches.
🔹 Follow Us for More: Get the latest cybersecurity news, threat intelligence, and vulnerability updates here.