Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network.
The vulnerability classified as CWE-290 (Authentication Bypass by Spoofing) involves an attacker impersonating an authorized entity to bypass identity verification mechanisms. This enables privilege escalation in the Azure AI Face Service without requiring higher privileges than a standard user account. The attack can be conducted remotely over the network without requiring user interaction, and its effects extend beyond the direct scope of the attacked component (Scope: Changed).
An attacker can gain elevated privileges in the Azure AI Face Service, leading to complete compromise of confidentiality, integrity, and availability of processed data and service functionality.
Apply patches available from the vendor according to references published in the Microsoft Security Response Center (MSRC) at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21415
Microsoft Azure AI Face Service — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Ai Face Service
APPMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE w Windows Server Update Service (WSUS) — deserializacja danych
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
RCE przez deserialization w Microsoft SharePoint Server (on-premises)