Microsoft has addressed two critical security vulnerabilities that posed potential threats to its cloud-based services. The patches resolve security flaws affecting Azure AI Face Service and Microsoft Account, both of which could have allowed malicious actors to escalate privileges under specific conditions.
Details of the Vulnerabilities
The two vulnerabilities are identified as follows:
- CVE-2025-21396, CVSS score: 7.5 – Microsoft Account Elevation of Privilege Vulnerability
- CVE-2025-21415, CVSS score: 9.9 – Azure AI Face Service Elevation of Privilege Vulnerability
According to Microsoft, CVE-2025-21415 stems from an authentication bypass issue within the Azure AI Face Service. Under certain conditions, an authorized attacker could exploit this flaw to escalate privileges over a network. The vulnerability was discovered and reported by an anonymous researcher.
Meanwhile, CVE-2025-21396 is caused by missing authorization checks within the Microsoft Account system. This flaw could allow an unauthorized attacker to elevate privileges over a network. A security researcher known as Sugobet has been credited with identifying this issue.
Exploit and Mitigation
Microsoft has acknowledged the existence of proof-of-concept (PoC) exploit code for CVE-2025-21415, confirming that both vulnerabilities have been fully mitigated. Importantly, customers are not required to take any additional actions, as Microsoft has applied the necessary security updates.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: