A security researcher discovered a critical vulnerability in Azure Backup for AKS, which allegedly allowed for unauthorized access, but Microsoft rejected the report and did not issue a CVE1. The researcher claims that despite the rejection, Microsoft quietly fixed the issue, while the company disputes this, stating that the observed behavior was expected and no changes were made to the product. The researcher, however, documented evidence of a silent fix, contradicting Microsoft's claims. The vulnerability, if it existed, could have had significant implications for the security of Azure-based systems. The incident highlights the challenges in vulnerability reporting and the potential for disputes between researchers and vendors. So what matters to practitioners is that they must remain vigilant and assess the security of their Azure environments, even in the absence of official CVEs or acknowledgments from Microsoft.
Microsoft rejects critical Azure vulnerability report, no CVE issued
⚡ High Priority
Why This Matters
Security developments involving Microsoft add to the evolving threat landscape — assess relevance to your environment.
References
- BleepingComputer. (2026, May 16). Microsoft rejects critical Azure vulnerability report, no CVE issued. *BleepingComputer*. https://www.bleepingcomputer.com/news/security/microsoft-rejects-critical-azure-vulnerability-report-no-cve-issued/
Original Source
BleepingComputer
Read original →