Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
An attacker with basic privileges in the Azure Machine Learning environment can exploit the lack of proper authorization verification to perform operations requiring higher privileges. The vulnerability can be exploited remotely over the network without requiring user interaction and with low attack complexity. The changed scope (Scope: Changed) suggests that the impact may extend beyond the directly exposed component.
An attacker can obtain unauthorized privilege escalation, leading to complete compromise of confidentiality, integrity, and availability of resources — potentially including resources beyond the original scope of access.
Apply patches available from the vendor according to references at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49747
Microsoft Azure Machine Learning — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Machine Learning
APPMicrosoftwszystkie wersje
Related vulnerabilities
Privilege escalation w Azure Machine Learning przez błąd autoryzacji
Nieprawidłowa autoryzacja w Azure Machine Learning — privilege escalation
Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Ma...
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning...
Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a netwo...