CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-59503

CVSS 10.0v3.1pub. 2025-10-23upd. 2025-12-31

Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The SSRF vulnerability allows an attacker to induce a vulnerable server to send specially crafted network requests on their behalf, bypassing access control mechanisms. In the case of Azure Compute Gallery, this flaw is remotely accessible over the network without requiring any privileges (PR:N, UI:N). The scope of the attack extends beyond the boundary of the original component (S:C), indicating potential impact on resources outside the direct context of the service. Successful exploitation of the vulnerability can lead to privilege escalation in the cloud environment.

Impact

An attacker can obtain privilege escalation in the Azure environment, which combined with the full CIA triad (C:H/I:H/A:H) indicates potential loss of confidentiality, integrity, and availability of cloud resources. The lack of authentication requirements makes this vulnerability exceptionally dangerous for organizations using Azure Compute Gallery.

Mitigation & patch

Apply patches available from the vendor according to references published by Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59503. As a service managed by Microsoft, updates may be deployed on the Azure platform side — administrators should verify the status in the MSRC portal and monitor Microsoft service messages regarding Azure Compute Gallery.

Who is affected

Microsoft Azure Compute Resource Provider — Azure Compute Gallery; versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Compute Resource Provider

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-53770CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserialization w Microsoft SharePoint Server (on-premises)