Microsoft has recently issued critical security patches to rectify two significant vulnerabilities affecting both the Azure AI Face Service and Microsoft Account. These flaws, if exploited, could allow malicious actors to escalate their privileges under specific circumstances.
The vulnerabilities in question include the Microsoft Account Elevation of Privilege Vulnerability, designated as CVE-2025-21396, which carries a CVSS score of 7.5, and the Azure AI Face Service Elevation of Privilege Vulnerability, identified as CVE-2025-21415, with a critical CVSS rating of 9.9.
According to Microsoft, the flaw detailed in CVE-2025-21415 involves an authentication bypass through spoofing, enabling an authorized attacker to elevate privileges within the Azure AI Face Service over a network. This vulnerability was reported by an unnamed researcher.
Similarly, CVE-2025-21396 arises from a lack of necessary authorization, potentially allowing unauthorized users to escalate their privileges. This issue was identified by researcher Sugobet, who has been recognized for his findings.
Microsoft has acknowledged the existence of proof-of-concept exploit code for CVE-2025-21415 but reassured users that both vulnerabilities have been mitigated. Notably, no action is required from customers to secure their systems as a result of these vulnerabilities.
This advisement aligns with Microsoft’s commitment to enhancing transparency regarding cybersecurity vulnerabilities within critical cloud services. The company has underscored the importance of openly communicating such vulnerabilities to ensure the resilience of digital infrastructures.
In a public statement made in June 2024, Microsoft emphasized the industry’s migration to cloud computing: “As our industry matures and increasingly migrates to cloud-based services, we must be transparent about significant cybersecurity vulnerabilities that are found and fixed.” By facilitating the exchange of information about vulnerabilities, Microsoft aims to foster a more secure environment overall.
The tactical implications of these vulnerabilities can be analyzed through the lens of the MITRE ATT&CK framework, where the potential techniques used in such attacks may include initial access, privilege escalation, and persistence strategies. These techniques highlight the critical need for businesses to remain vigilant and informed about evolving cybersecurity threats.
