Vulnerabilities > Microsoft > Critical

DATE CVE VULNERABILITY TITLE RISK
2025-05-13 CVE-2025-30387 Path Traversal vulnerability in Microsoft Azure AI Document Intelligence Studio
Improper limitation of a pathname to a restricted directory ('path traversal') in Azure allows an unauthorized attacker to elevate privileges over a network.
network
low complexity
microsoft CWE-22
critical
9.8
2025-05-08 CVE-2025-29813 Improper Authentication vulnerability in Microsoft Azure Devops
[Spoofable identity claims] Authentication Bypass by Assumed-Immutable Data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
network
low complexity
microsoft CWE-287
critical
9.8
2025-05-08 CVE-2025-29972 Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Storage Resource Provider
Server-Side Request Forgery (SSRF) in Azure allows an authorized attacker to perform spoofing over a network.
network
low complexity
microsoft CWE-918
critical
9.8
2025-05-08 CVE-2025-47732 Deserialization of Untrusted Data vulnerability in Microsoft Dataverse
Microsoft Dataverse Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-502
critical
9.8
2025-04-30 CVE-2025-30389 Improper Authorization vulnerability in Microsoft Azure AI BOT Service
Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.
network
low complexity
microsoft CWE-285
critical
9.8
2025-04-30 CVE-2025-30392 Improper Authorization vulnerability in Microsoft Azure AI BOT Service
Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.
network
low complexity
microsoft CWE-285
critical
9.8
2025-02-19 CVE-2025-21355 Missing Authentication for Critical Function vulnerability in Microsoft Bing
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network
network
low complexity
microsoft CWE-306
critical
9.8
2025-02-19 CVE-2025-24989 Unspecified vulnerability in Microsoft Power Pages
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified.
network
low complexity
microsoft
critical
9.8
2025-01-14 CVE-2025-21311 Unspecified vulnerability in Microsoft products
Windows NTLM V1 Elevation of Privilege Vulnerability
network
low complexity
microsoft
critical
9.8
2024-12-12 CVE-2024-49147 Deserialization of Untrusted Data vulnerability in Microsoft Update Catalog
Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver.
network
low complexity
microsoft CWE-502
critical
9.8