16/05/2025

Week 20 – Critical elevation of privilege vulnerability in Azure DevOps

12 – 18 May 2025

A critical elevation of privilege vulnerability has been found in Azure DevOps, published on May 8, 2025, and updated with more details 2 days later on May 10, 2025. It has a CVSS score of 10.0!

It’s not often that a truly critical vulnerability is discovered that reaches the maximum severity rating of 10 on the Common Vulnerability Scoring System. This is one such case.

Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. According to the company’s official communication:

To exploit this vulnerability, an attacker would first have to have access to the project and swap the short-term token for a long-term one.

To be fair, CVE-2025-29813 is just one of a number of critical vulnerabilities affecting core cloud services that the tech giant has confirmed this week. The good news is that none of them are known to have been exploited in the wild, none have been publicly disclosed, and there’s nothing you can do as a user to protect your environment.
“This vulnerability has already been fully mitigated by Microsoft.” -they say, so there’s no need to worry, we can sleep soundly.

You can find more information and details on the subject at the link below:
https://www.forbes.com/sites/daveywinder/2025/05/11/microsoft-confirms-critical-1010-cloud-security-vulnerability/

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Author: Melinda Bozsó

Filed Under: CVE of the Week

Tags: cve, cveoftheweek, cybersecurity, informationsecurity, WhiteHatSeries

Week-19 – A critical security vulnerability in the OpenCTI Platform