Security Intelligence
Loading table of contents...
Microsoft has addressed two critical vulnerabilities recently discovered in Azure AI Face Service and Microsoft Account that could allow a threat actor to escalate their privileges under certain conditions.
The more severe flaw, designated CVE-2025-21415 and provided a CVSS score of 9.9, is an authentication bypass flaw that can be exploited by spoofing the Azure AI Face Service, a cloud-based facial recognition service designed for developers to integrate facial detection, recognition, and analysis into their applications. Successful exploitation could allow a threat actor to elevate their privileges over a network. Microsoft advised that it is aware that the proof-of-concept (PoC) exploit code for CVE-2024-21415 is available.
The second flaw, designated CVE-2025-21396 and provided a CVSS score of 7.5, could also allow an unauthorized threat actor to elevate their privileges over a network due to an insufficient authorization mechanism. Microsoft did not mention whether it was aware of the PoC exploit code or any active exploitation of CVE-2025-21396.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Microsoft has patched both vulnerabilities and users are not required to take further action.
The public disclosure of CVE-2025-21415 and CVE-2025-21396 by Microsoft is part of its ongoing efforts to improve transparency by issuing CVEs for critical vulnerabilities found in its cloud services, even if they are patched behind the scenes and require no customer action to resolve.
Source: The Hacker News
Analysis
One benefit of cloud services is that vendors can quickly move to patch vulnerabilities without any user action. This mechanism no doubt shrinks the window in which threat actors can take advantage of identified vulnerabilities, considerably improving the cybersecurity posture of cloud servers. Often, users will patch at a slower cadence than vendors, which would leave them exposed to vulnerabilities for a much longer period.
An extreme example of this deficiency would be CVE-2014-21204, a vulnerability in Cisco’s adaptive security appliance (ASA), which was exploited by threat actors a decade after the vulnerability was patched.
Microsoft’s efforts to be more transparent, in this case by disclosing the critical vulnerabilities it patches behind the scenes, ensure customers are informed about security risks affecting the cloud services they rely on. It also allows them to assess potential impacts, enhance their own security monitoring, and keep compliant with regulatory requirements.
From a broader cybersecurity perspective, this practice strengthens the industry’s collective defense by improving threat intelligence sharing and enabling security researchers, incident response teams, and regulatory bodies to track vulnerabilities more effectively. Publicly disclosing cloud service vulnerabilities encourages best practices, fosters accountability among cloud providers, and promotes a more resilient cybersecurity ecosystem by ensuring that critical flaws do not go unnoticed or unaddressed.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats targeting cloud infrastructure. Field Effect MDR users are automatically notified if suspicious connections are made to their cloud accounts and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
The best way to keep cloud accounts secure from malicious activities is to not allow threat actors to access them in the first place. Field Effect strongly recommends organizations adopt dark web monitoring, which is included as part of Field Effect MDR, to proactively uncover leaked credentials and personal information before threat actors can use them to facilitate access to their network.
