Microsoft has rolled out security updates to fix two critical vulnerabilities affecting Azure AI Face Service and Microsoft Account, both of which could enable privilege escalation under specific conditions.
Details of the Security Flaws
The two patched vulnerabilities are:
- CVE-2025-21396 (CVSS Score: 7.5) – Microsoft Account Elevation of Privilege Vulnerability
- CVE-2025-21415 (CVSS Score: 9.9) – Azure AI Face Service Elevation of Privilege Vulnerability
According to Microsoft’s advisory, CVE-2025-21415 is an authentication bypass flaw in Azure AI Face Service that allows an authorized attacker to elevate privileges over a network. The issue was reported by an anonymous researcher.
Meanwhile, CVE-2025-21396 is caused by missing authorization checks, which could enable an unauthorized attacker to gain elevated privileges remotely. A researcher known as Sugobet has been credited with its discovery.
No Customer Action Required
Microsoft has confirmed that it is aware of a proof-of-concept (PoC) exploit for CVE-2025-21415 but assures users that both vulnerabilities have been fully mitigated. No additional action is required from customers.
This update is part of Microsoft’s broader initiative to improve transparency in cloud security. Even when patches or customer interventions aren’t necessary, Microsoft is committed to disclosing critical cloud service vulnerabilities to strengthen cybersecurity awareness.
“As cloud adoption grows, transparency in addressing cybersecurity threats is essential,” Microsoft stated in a June 2024 advisory. “Sharing details on discovered and remediated vulnerabilities fosters industry-wide improvements and strengthens critical infrastructure resilience.”