Microsoft has patched four critical security vulnerabilities affecting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center services. One of these flaws, CVE-2024-49035, has reportedly been exploited in real-world scenarios.
The vulnerability CVE-2024-49035, carrying a CVSS score of 8.7, involves a privilege escalation flaw in the Partner Center (partner.microsoft[.]com). Microsoft described it as: "An improper access control vulnerability in partner.microsoft[.]com allows an unauthenticated attacker to elevate privileges over a network."
The flaw was reported by Gautam Peri, Apoorv Wadhwa, and an anonymous researcher. However, Microsoft has not disclosed specifics regarding its exploitation in active attacks.
Alongside CVE-2024-49035, three other vulnerabilities were patched, two of which are rated Critical:
- CVE-2024-49038 (CVSS score: 9.3): A cross-site scripting (XSS) flaw in Copilot Studio enabling unauthorized privilege escalation over a network.
- CVE-2024-49052 (CVSS score: 8.2): A missing authentication vulnerability in Microsoft Azure PolicyWatch, allowing unauthorized privilege escalation.
- CVE-2024-49053 (CVSS score: 7.6): A spoofing flaw in Microsoft Dynamics 365 Sales that could redirect users to malicious sites via specially crafted URLs.
- Mitigations and User Recommendations
- Most vulnerabilities have been automatically addressed through updates to Microsoft Power Apps. However, users of Dynamics 365 Sales apps for Android and iOS should upgrade to the latest version (3.24104.15) to protect against CVE-2024-49053.
Microsoft continues to emphasize proactive updates and security monitoring to safeguard against emerging threats.