Microsoft declines Azure vuln CVE

Justin O’Leary, a security researcher, said Microsoft rejected his report of an Azure Backup for Azure Kubernetes Service privilege-escalation issue after he submitted it on March 17. O’Leary wrote on May 12 that a user with the Azure “Backup Contributor” role could gain cluster-admin rights on an AKS cluster without prior Kubernetes permissions. (olearysec.com) Microsoft told BleepingComputer that it did not view the reported behavior as a security vulnerability. (olearysec.com) The company said the scenario depended on pre-existing administrative permissions in the customer environment, that no product changes were made, and that it did not assign a CVE or CVSS score. (microsoft.com) The dispute has drawn attention because Microsoft said in a June 27, 2024 blog post that it would issue CVEs for critical cloud service vulnerabilities even when customers did not need to deploy a patch. That policy statement remains published on the Microsoft Security Response Center site. (olearysec.com) ### What exactly did the researcher say the Azure issue allowed? O’Leary said the issue affected Azure Backup for AKS and let a user holding only the “Backup Contributor” Azure role escalate to cluster-admin on an AKS cluster. In his write-up, he described the path as a confused-deputy style privilege escalation involving Azure’s trusted access relationship with Kubernetes. (bleepingcomputer.com) The researcher assigned the issue a CVSS base score of 9.9 in his public write-up, but that score was not adopted by Microsoft or entered as a CVE. O’Leary said the flaw required zero pre-existing Kubernetes permissions, directly disputing Microsoft’s characterization of the conditions needed for exploitation. (microsoft.com) ### When did Microsoft reject it, and what reason did it give? April 13 was the date O’Leary said Microsoft rejected the report. Accounts citing his disclosure said Microsoft’s position was that the attack required administrative privileges already present in the customer environment, which the company said placed the behavior outside its security-vulnerability threshold. (olearysec.com) BleepingComputer reported that Microsoft repeated that position in a statement, saying the company had assessed the case and found no vulnerability because the reported behavior relied on expected permissions. Microsoft did not publish a CVE entry for the issue in its Security Update Guide. (olearysec.com) ### What role did CERT/CC and MITRE play? CERT/CC independently validated the finding on April 16 and assigned it VU#284781, according to O’Leary’s post. That validation became a key point in the public debate because it showed a second organization had reviewed the technical claim and judged it reportable. (olearysec.com) May 4 was the date cited in secondary reports for Microsoft’s communication to MITRE opposing a CVE assignment. Because Microsoft is the CVE Numbering Authority for its own products, the case did not proceed to a published CVE after the vendor disputed the finding, according to those reports. (bleepingcomputer.com) ### Why has this become a broader cloud-disclosure debate? Microsoft’s June 2024 cloud-CVE policy said the company would issue CVEs for critical cloud service vulnerabilities regardless of whether customers needed to take action. The same post cited CNA guidance encouraging public disclosure when a vulnerability could cause significant harm or required risk assessment by parties beyond the supplier. (olearysec.com) Azure customers do not always receive cloud-risk information through the same channels used for on-premises software flaws. Microsoft’s Azure Service Health and product-specific bulletins are part of that disclosure system, and the AKS security bulletin page says it includes critical advisories, ongoing investigations and false positives or non-exploitable CVEs. (bleepingcomputer.com) ### Where would customers look next for any official follow-up? Microsoft’s official channels remain the MSRC site, the Security Update Guide and Azure product documentation. As of May 17, the AKS security bulletins page listed multiple 2026 advisories, but the disputed Azure Backup for AKS issue was not identified there by a CVE. (microsoft.com) June 1 was the disclosure date O’Leary said CERT/CC had initially planned before the case was closed without a CVE. Any further public record would most likely appear through a new MSRC post, a Security Update Guide entry, or an update to Microsoft’s AKS security bulletins. (olearysec.com) (msrc.microsoft.com) (azure.microsoft.com)