Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
Ddos 
Microsoft has addressed a cluster of critical vulnerabilities affecting several of its core cloud services—including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps. Although none of these flaws have been publicly disclosed or exploited in the wild, their potential impact underscores the importance of proactive security hygiene in cloud-native development environments.
CVE-2025-29813 (CVSS 10.0): Azure DevOps Pipeline Token Hijack
The most severe of the group, this vulnerability in Azure DevOps received a maximum CVSS score of 10.0. According to Microsoft, it allowed attackers with project-level access to swap short-term pipeline job tokens for long-term tokens, effectively escalating their privileges across a project environment.
“An attacker who successfully exploited this vulnerability could extend their access to a project,” Microsoft warned, adding that the issue lay in how the Visual Studio updater handled these sensitive tokens. A correction in token handling logic that prevents improper privilege escalation.
CVE-2025-29827 (CVSS 9.9): Azure Automation Improper Authorization
This elevation of privilege vulnerability impacted Azure Automation, where improper authorization allowed a legitimate user to elevate their privileges over a network. Though limited to authorized attackers, the flaw posed a critical threat in shared or multi-tenant environments.
CVE-2025-29972 (CVSS 9.9): Azure Storage Resource Provider Spoofing via SSRF
This spoofing vulnerability exploited a server-side request forgery (SSRF) vector within the Azure Storage Resource Provider. By abusing SSRF mechanics, an authorized attacker could send crafted requests that impersonated other services or users.
CVE-2025-47733 (CVSS 9.1): Microsoft Power Apps Information Disclosure
Another SSRF vulnerability—but this time affecting Microsoft Power Apps—was found to allow unauthorized attackers to disclose information over a network. Unlike the other vulnerabilities, this one didn’t require prior authentication, increasing its potential risk if left unpatched.
No Action Required
Despite the severity of the vulnerabilities—three of which carry a CVSS score above 9.0—Microsoft emphasized that no user action is necessary. All flaws have been mitigated at the platform level, preventing any abuse even before public disclosure.