Improper authorization in Azure allows an authorized attacker to elevate privileges over a network.
The flaw consists of improper authorization (CWE-285) in the Microsoft Azure Machine Learning service. An authenticated attacker with only basic network privileges is able to bypass access control mechanisms and obtain a higher level of privileges than they are entitled to. The attack does not require user interaction or complex prerequisites, and its scope extends beyond the originally compromised context (Scope: Changed).
An attacker can obtain elevated privileges in the Azure Machine Learning environment, which may lead to a complete breach of confidentiality, integrity, and availability of processed data and computing resources.
Apply patches available from the manufacturer according to the references. Detailed information about updates is available in the Microsoft Security Response Center at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30390
Microsoft Azure Machine Learning — versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Machine Learning
APPMicrosoftwszystkie wersje
Related vulnerabilities
Privilege escalation w Azure Machine Learning przez błąd autoryzacji
Brak autoryzacji w Azure Machine Learning umożliwia privilege escalation
Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Ma...
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning...
Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a netwo...