CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-49746

CVSS 9.9v3.1pub. 2025-07-18upd. 2025-08-14

Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The flaw lies in improper authorization (CWE-285) — access control mechanisms do not properly verify what operations are allowed for a given authenticated user. An attacker with basic access level to the environment can send appropriately crafted network requests that will be handled with higher privileges than they should be. The attack vector is network-based, requires no user interaction and no complex prerequisites.

Impact

An attacker can obtain elevated privileges in the Azure Machine Learning environment, which with a scope of impact extending beyond the source component (Scope: Changed) may result in complete compromise of confidentiality, integrity, and availability of related resources.

Mitigation & patch

Apply patches available from the manufacturer according to references — details regarding updates have been published in the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746

Who is affected

Microsoft Azure Machine Learning — versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Machine Learning

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-49747CRITICAL9.9PL ✓ten sam produkt

Brak autoryzacji w Azure Machine Learning umożliwia privilege escalation

CVE-2025-30390CRITICAL9.9PL ✓ten sam produkt

Nieprawidłowa autoryzacja w Azure Machine Learning — privilege escalation

CVE-2026-33833HIGH8.2ten sam produkt

Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Ma...

CVE-2026-32207HIGH8.8ten sam produkt

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning...

CVE-2025-47995MEDIUM6.5ten sam produkt

Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a netwo...