{"id":316,"date":"2025-02-05T00:11:38","date_gmt":"2025-02-04T18:41:38","guid":{"rendered":"https:\/\/www.securis360.com\/blog\/?p=316"},"modified":"2026-02-18T05:40:31","modified_gmt":"2026-02-18T05:40:31","slug":"microsoft-fixes-critical-azure-ai-face-service-vulnerability-cvss-9-9","status":"publish","type":"post","link":"https:\/\/securis360.com\/blog\/microsoft-fixes-critical-azure-ai-face-service-vulnerability-cvss-9-9\/","title":{"rendered":"Microsoft Fixes Critical Azure AI Face Service Vulnerability (CVSS 9.9)"},"content":{"rendered":"\n<p>Microsoft has rolled out security updates to fix <strong>two critical vulnerabilities<\/strong> affecting <strong>Azure AI Face Service<\/strong> and <strong>Microsoft Account<\/strong>, both of which could enable <strong>privilege escalation<\/strong> under specific conditions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Details of the Security Flaws<\/strong><\/h4>\n\n\n\n<p>The two patched vulnerabilities are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE-2025-21396<\/strong> (<strong>CVSS Score: 7.5<\/strong>) \u2013 <strong>Microsoft Account Elevation of Privilege Vulnerability<\/strong><\/li>\n\n\n\n<li><strong>CVE-2025-21415<\/strong> (<strong>CVSS Score: 9.9<\/strong>) \u2013 <strong>Azure AI Face Service Elevation of Privilege Vulnerability<\/strong><\/li>\n<\/ul>\n\n\n\n<p>According to Microsoft\u2019s advisory, <strong>CVE-2025-21415<\/strong> is an <strong>authentication bypass flaw<\/strong> in <strong>Azure AI Face Service<\/strong> that allows an <strong>authorized attacker<\/strong> to <strong>elevate privileges over a network<\/strong>. The issue was reported by an anonymous researcher.<\/p>\n\n\n\n<p>Meanwhile, <strong>CVE-2025-21396<\/strong> is caused by <strong>missing authorization checks<\/strong>, which could enable an <strong>unauthorized attacker<\/strong> to <strong>gain elevated privileges<\/strong> remotely. A researcher known as <strong>Sugobet<\/strong> has been credited with its discovery.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>No Customer Action Required<\/strong><\/h4>\n\n\n\n<p>Microsoft has confirmed that it is aware of a <strong>proof-of-concept (PoC) exploit<\/strong> for <strong>CVE-2025-21415<\/strong> but assures users that <strong>both vulnerabilities have been fully mitigated<\/strong>. No additional action is required from customers.<\/p>\n\n\n\n<p>This update is part of Microsoft&#8217;s <strong>broader initiative<\/strong> to improve transparency in cloud security. Even when patches or customer interventions aren&#8217;t necessary, Microsoft is committed to <strong>disclosing critical cloud service vulnerabilities<\/strong> to strengthen cybersecurity awareness.<\/p>\n\n\n\n<p>&#8220;As cloud adoption grows, transparency in addressing cybersecurity threats is essential,&#8221; Microsoft stated in a <strong>June 2024 advisory<\/strong>. &#8220;Sharing details on discovered and remediated vulnerabilities fosters industry-wide improvements and strengthens critical infrastructure resilience.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has rolled out security updates to fix two critical vulnerabilities affecting Azure AI Face Service and Microsoft Account, both of which could enable privilege escalation under specific conditions. Details of the Security Flaws The two patched vulnerabilities are: According to Microsoft\u2019s advisory, CVE-2025-21415 is an authentication bypass flaw in Azure AI Face Service that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":931,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[252,253,83,254,255,256,257,258,259,260],"class_list":["post-316","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-authentication-bypass","tag-azure-ai-face-service","tag-cloud-security","tag-cve-2025-21396","tag-cve-2025-21415","tag-microsoft","tag-microsoft-security-patch","tag-privilege-escalation","tag-proof-of-concept-exploit","tag-security-vulnerability"],"_links":{"self":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/comments?post=316"}],"version-history":[{"count":1,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/316\/revisions"}],"predecessor-version":[{"id":932,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/316\/revisions\/932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/media\/931"}],"wp:attachment":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/media?parent=316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/categories?post=316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/tags?post=316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}