Azure AI Face Service and Microsoft Account are both affected by two Critical-rated security flaws that Microsoft has patched, which allow a destructive professional to increase their privileges in some circumstances.
The shortcomings are listed under.
- CVE-2025-21396 ( CVSS score: 7.5 )- Microsoft Account Elevation of Privilege Vulnerability
- ( CVSS score: 9.9 )- Azure AI Face Service Elevation of Privilege Vulnerability
Microsoft’s advisory for CVE-2025-21415, which credits an anonymous scientist for reporting the flaw, states that” phishing in Azure AI Face Service allows an official attacker to promote permissions over a network.”
On the other hand, CVE-2025-21396 was created by a network-related issue involving a missing approval. Sugobet, a safety scholar, was given the credit for finding it.
The tech giant also noted that it’s aware of the existence of a proof-of-concept ( PoC ) exploit code for CVE-2025-21415, adding both vulnerabilities have been fully mitigated. The issues don’t need any user feedback.
Whether clients need to place a piece or take other security measures, Microsoft continues to work to boost transparency by issuing CVEs for crucial cloud service vulnerabilities.
We must be open about substantial security flaws that are discovered and fixed as our industry matures and more and more people move to cloud-based services, it said in a note from June 2024.
We let Microsoft and our partners learn and grow by openly sharing knowledge about vulnerabilities that have been discovered and fixed. This cooperative work improves our crucial infrastructure’s endurance and safety.