HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-49035

CVSS 8.7v3.1pub. 2024-11-26upd. 2025-10-28

An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Microsoft Partner Center

    APP
    Microsoft
    wszystkie wersje

CISA KEV — detailsi

Vendori
Microsoft
Producti
Partner Center
Added to KEVi
February 25, 2025
Remediation deadline (US Federal)i
March 18, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 18 marca 2025
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-24303CRITICAL9.6PL ✓ten sam produkt

Privilege Escalation w Microsoft Partner Center przez nieprawidłową kontrolę dostępu

CVE-2025-65041CRITICAL10.0PL ✓ten sam produkt

Nieprawidłowa autoryzacja w Microsoft Partner Center — privilege escalation

CVE-2025-29814CRITICAL9.3PL ✓ten sam produkt

Nieautoryzowana eskalacja uprawnień w Microsoft Partner Center

CVE-2026-34327HIGH8.2ten sam produkt

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthor...

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów