Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
The flaw lies in improper authorization (CWE-285) — access control mechanisms do not properly verify what operations are allowed for a given authenticated user. An attacker with basic access level to the environment can send appropriately crafted network requests that will be handled with higher privileges than they should be. The attack vector is network-based, requires no user interaction and no complex prerequisites.
An attacker can obtain elevated privileges in the Azure Machine Learning environment, which with a scope of impact extending beyond the source component (Scope: Changed) may result in complete compromise of confidentiality, integrity, and availability of related resources.
Apply patches available from the manufacturer according to references — details regarding updates have been published in the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746
Microsoft Azure Machine Learning — versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Machine Learning
APPMicrosoftwszystkie wersje
Related vulnerabilities
Brak autoryzacji w Azure Machine Learning umożliwia privilege escalation
Nieprawidłowa autoryzacja w Azure Machine Learning — privilege escalation
Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Ma...
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning...
Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a netwo...