CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-21415

CVSS 9.9v3.1pub. 2025-01-29upd. 2025-02-07

Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-290 (Authentication Bypass by Spoofing) involves an attacker impersonating an authorized entity to bypass identity verification mechanisms. This enables privilege escalation in the Azure AI Face Service without requiring higher privileges than a standard user account. The attack can be conducted remotely over the network without requiring user interaction, and its effects extend beyond the direct scope of the attacked component (Scope: Changed).

Impact

An attacker can gain elevated privileges in the Azure AI Face Service, leading to complete compromise of confidentiality, integrity, and availability of processed data and service functionality.

Mitigation & patch

Apply patches available from the vendor according to references published in the Microsoft Security Response Center (MSRC) at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21415

Who is affected

Microsoft Azure AI Face Service — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Ai Face Service

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-53770CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserialization w Microsoft SharePoint Server (on-premises)