Microsoft has patched four significant security vulnerabilities affecting its AI, cloud services, enterprise resource planning (ERP) systems, and Partner Center. One of these flaws, identified as CVE-2024-49035 with a CVSS score of 8.7, has already been exploited in real-world attacks.

Details on CVE-2024-49035

CVE-2024-49035 is a privilege escalation flaw in the Partner Center platform (partner.microsoft[.]com).

• Nature of the Vulnerability: An improper access control issue allows unauthenticated attackers to elevate privileges over a network.
• Advisory Highlights: Microsoft acknowledged that this vulnerability has been actively exploited but did not provide specific details about the attack methods.
• Researchers Credited: Gautam Peri, Apoorv Wadhwa, and an anonymous contributor reported the flaw.

Fixes for this vulnerability are included in automatic updates to the online version of Microsoft Power Apps.

Other Addressed Vulnerabilities

Microsoft has also resolved three additional flaws, two of which are classified as Critical, and one as Important:

1. CVE-2024-49038 (CVSS 9.3):

• Type: Cross-site scripting (XSS) in Copilot Studio.
• Impact: Unauthorized attackers can escalate privileges over a network.

1. CVE-2024-49052 (CVSS 8.2):

• Type: Missing authentication for critical functions in Microsoft Azure PolicyWatch.
• Impact: Enables unauthorized attackers to escalate privileges over a network.

1. CVE-2024-49053 (CVSS 7.6):

• Type: Spoofing vulnerability in Microsoft Dynamics 365 Sales.
• Impact: Authenticated attackers can exploit this flaw by tricking users into clicking on a specially crafted URL, potentially redirecting them to malicious sites.

Mitigation and Recommendations

Microsoft has rolled out fixes for these vulnerabilities, most of which require no user action. However, to secure against CVE-2024-49053, users should:

• Update Dynamics 365 Sales apps for Android and iOS to version 3.24104.15 or later.

Importance of Prompt Updates

These vulnerabilities highlight the evolving risks in cloud services and enterprise systems, particularly in widely used platforms like Copilot Studio, Azure PolicyWatch, and Dynamics 365 Sales. Organizations must ensure that their systems are updated promptly to mitigate the risk of exploitation.