Microsoft has launched patches to handle two Essential-rated security flaws impacting Azure AI Face Service and Microsoft Account that might enable a malicious actor to escalate their privileges beneath sure situations.
The issues are listed under –
- CVE-2025-21396 (CVSS rating: 7.5) – Microsoft Account Elevation of Privilege Vulnerability
- CVE-2025-21415 (CVSS rating: 9.9) – Azure AI Face Service Elevation of Privilege Vulnerability
“Authentication bypass by spoofing in Azure AI Face Service permits a certified attacker to raise privileges over a community,” Microsoft in an advisory for CVE-2025-21415, crediting an nameless researcher for reporting the flaw.
CVE-2025-21396, however, stems from a case of lacking authorization that might allow an unauthorized attacker to raise privileges over a community. A security researcher who goes by the alias Sugobet has been acknowledged for locating it.
The tech large additionally famous that it is conscious of the existence of a proof-of-concept (PoC) exploit code for CVE-2025-21415, including each vulnerabilities have been absolutely mitigated. The shortcomings require no buyer motion.
The advisories are a part of Microsoft’s ongoing efforts to enhance transparency by issuing CVEs for crucial cloud service vulnerabilities, no matter whether or not clients want to put in a patch or take different actions to safe themselves.
“As our trade matures and more and more migrates to cloud-based providers, we have to be clear about vital cybersecurity vulnerabilities which can be discovered and glued,” it famous again in June 2024.
“By brazenly sharing details about vulnerabilities which can be found and resolved, we allow Microsoft and our companions to be taught and enhance. This collaborative effort contributes to the protection and resilience of our crucial infrastructure.”
