CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-53767

CVSS 10.0v3.1pub. 2025-08-07upd. 2025-08-14

Azure OpenAI Elevation of Privilege Vulnerability

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-918 (Server-Side Request Forgery — SSRF), which means an attacker can force the server to execute network requests on their behalf. The CVSS vector indicates a network-based attack (AV:N), without requirements for complexity (AC:L), authentication (PR:N), or user interaction (UI:N). The scope of the attack extends beyond the directly attacked component (S:C), suggesting the possibility of impact on resources in the broader Azure cloud environment.

Impact

An attacker can gain unauthorized access to sensitive resources and modify data in the Azure environment, which corresponds to high impact on confidentiality (C:H) and integrity (I:H) as indicated in the CVSS vector.

Mitigation & patch

Apply patches available from the vendor according to references published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767. Azure services are typically updated automatically on the Microsoft side, however it is recommended to verify the update status in the Azure management panel and monitor MSRC communications.

Who is affected

Microsoft Azure OpenAI — versions indicated in vendor references (Microsoft Security Response Center)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Microsoft Azure Openai

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-53770CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserialization w Microsoft SharePoint Server (on-premises)