Azure OpenAI Elevation of Privilege Vulnerability
The vulnerability is classified as CWE-918 (Server-Side Request Forgery — SSRF), which means an attacker can force the server to execute network requests on their behalf. The CVSS vector indicates a network-based attack (AV:N), without requirements for complexity (AC:L), authentication (PR:N), or user interaction (UI:N). The scope of the attack extends beyond the directly attacked component (S:C), suggesting the possibility of impact on resources in the broader Azure cloud environment.
An attacker can gain unauthorized access to sensitive resources and modify data in the Azure environment, which corresponds to high impact on confidentiality (C:H) and integrity (I:H) as indicated in the CVSS vector.
Apply patches available from the vendor according to references published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767. Azure services are typically updated automatically on the Microsoft side, however it is recommended to verify the update status in the Azure management panel and monitor MSRC communications.
Microsoft Azure OpenAI — versions indicated in vendor references (Microsoft Security Response Center)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NMicrosoft Azure Openai
APPMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE w Windows Server Update Service (WSUS) — deserializacja danych
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
RCE przez deserialization w Microsoft SharePoint Server (on-premises)