Microsoft has confirmed the discovery of four critical security vulnerabilities affecting its core cloud services, with one reaching the maximum possible Common Vulnerability Scoring System (CVSS) severity rating of 10/10.
The most severe vulnerability, identified as CVE-2025-29813, affects Azure DevOps and potentially allows attackers with project access to hijack pipeline tokens.
According to Microsoft, this elevation of privilege vulnerability occurs "when Visual Studio improperly handles the pipeline job tokens," enabling attackers to "swap the short-term token for a long-term one."
Two additional vulnerabilities received near-maximum severity ratings of 9.9. CVE-2025-29972 involves an Azure Storage Resource Provider spoofing vulnerability that could allow unauthorized attackers to distribute malicious requests impersonating legitimate services. Meanwhile, CVE-2025-29827 exposes an Azure Automation elevation of privilege vulnerability due to improper authorization issues.
The fourth vulnerability, CVE-2025-47733, affects Microsoft Power Apps with a 9.1 severity rating. This information disclosure vulnerability could enable attackers to access sensitive data through server-side request forgery techniques.
The good news for users is that Microsoft has already mitigated all four vulnerabilities internally, with "no action for users or the service to take," according to the company.
This disclosure aligns with Microsoft's June 2024 commitment to greater transparency regarding cloud vulnerabilities. The company now issues CVEs for cloud service vulnerabilities regardless of whether customer action is required – a significant change from previous industry practices.
"As our industry matures and increasingly migrates to cloud-based services, we must be transparent about significant cybersecurity vulnerabilities that are found and fixed," Microsoft stated in their announcement.
Google has also made a move towards a more transparent future regarding cloud CVEs.
On November 12, 2024, Google announced it would expand its CVE program so as to issue CVEs for critical Google Cloud vulnerabilities, like Microsoft, even when no customer action or patching is required. "Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors," Phil Venables, Google Cloud’s Chief Information Security Officer, said at the time.
None of these vulnerabilities were known to have been exploited in the wild prior to mitigation.