CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-29813

CVSS 10.0v3.1pub. 2025-05-08upd. 2026-02-13

Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-302 relies on the authentication mechanism based on data assumed to be immutable, which can actually be manipulated by an attacker. An unauthenticated network attacker without any permissions and without victim involvement can craft a request that will be treated by the system as authorized. As a result, authentication controls are bypassed and elevated privileges are obtained in the Azure DevOps environment.

Impact

An attacker can gain privilege escalation in the Azure DevOps environment, which in practice means potential full access to code repositories, CI/CD pipelines, artifacts, and sensitive project data. The scope of the breach includes full confidentiality, integrity, and availability of resources.

Mitigation & patch

Apply patches available from the vendor according to references — detailed information about updates is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29813. For the Microsoft cloud service, Microsoft may deploy patches on the server side without client involvement — it is recommended to verify patch status in the admin panel and monitor communications from the Microsoft Security Response Center.

Who is affected

Microsoft Azure DevOps — versions indicated in vendor references (Microsoft Security Response Center).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Devops

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-42826CRITICAL10.0PL ✓ten sam produkt

Ujawnienie wrażliwych informacji w Microsoft Azure DevOps (CVE-2026-42826)

CVE-2025-47158CRITICAL9.0PL ✓ten sam produkt

Authentication Bypass w Azure DevOps — eskalacja uprawnień przez sieć

CVE-2026-23658HIGH8.6ten sam produkt

Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges ove...

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server