Microsoft addresses critical security vulnerabilities across AI and cloud services
Microsoft has unveiled patches for four significant security vulnerabilities affecting its artificial intelligence, cloud infrastructure, and enterprise platforms, with one flaw already being exploited in production environments.
The developments raise concerns about potential widespread impacts on business operations and data security.
The most critical issue, identified as CVE-2024-49035 with a CVSS score of 8.7, enables unauthorized attackers to elevate their privileges through partner.microsoft[.]com. Security researchers Gautam Peri, Apoorv Wadhwa, and an anonymous contributor discovered this vulnerability, which Microsoft confirms is currently being exploited in the wild. The tech giant has remained tight-lipped about specific attack vectors and exploitation methods.
Among the other patched vulnerabilities, Copilot Studio faces a severe cross-site scripting (XSS) vulnerability (CVE-2024-49038, CVSS 9.3) that could allow malicious actors to escalate privileges across networks. This flaw in Microsoft’s AI-powered development platform highlights growing security concerns surrounding artificial intelligence tools in enterprise environments.
Azure PolicyWatch, a critical component of Microsoft’s cloud infrastructure, contains a significant authentication bypass vulnerability (CVE-2024-49052, CVSS 8.2). This flaw potentially enables unauthorized privilege escalation, raising red flags for organizations heavily dependent on Azure services for their cloud operations.
The fourth vulnerability affects Microsoft Dynamics 365 Sales (CVE-2024-49053, CVSS 7.6), introducing a spoofing risk that could enable attackers to redirect users to malicious websites through specially crafted URLs. This poses particular concerns for sales teams and customer relationship management operations.
Microsoft has implemented automatic security patches for most of these vulnerabilities through Power Apps updates. However, Dynamics 365 Sales users must take manual action by updating their mobile applications to version 3.24104.15 to protect against potential attacks.
These security updates come at a crucial time when organisations increasingly rely on Microsoft’s AI and cloud services for their daily operations. The presence of an actively exploited vulnerability, particularly one affecting partner relationships, underscores the critical nature of these patches and the importance of prompt security updates across enterprise environments.