
Microsoft has issued critical security updates addressing two significant vulnerabilities affecting its Azure AI Face Service and Microsoft Account systems. These high-severity flaws could potentially enable privilege escalation attacks.
The identified vulnerabilities are:
1. Microsoft Account Vulnerability (CVE-2025-21396)
– Severity: Critical (CVSS 7.5)
– Issue: Missing authorization controls
– Discovery: Reported by researcher “Sugobet”
2. Azure AI Face Service Vulnerability (CVE-2025-21415)
– Severity: Critical (CVSS 9.9)
– Issue: Authentication bypass through spoofing
– Discovery: Reported by anonymous researcher
– Note: Proof-of-concept exploit code exists
Microsoft has confirmed that both vulnerabilities have been fully remediated, requiring no action from customers. This disclosure aligns with Microsoft’s commitment to transparency regarding cloud service vulnerabilities, announced in June 2024. The company emphasizes that sharing such security information enables better collaboration and strengthens critical infrastructure protection across the industry.
These patches demonstrate Microsoft’s proactive approach to cloud security, issuing CVEs for significant vulnerabilities regardless of whether customer action is required.