Microsoft rejects vital Azure vulnerability record, no CVE issued

A safety researcher claims Microsoft quietly mounted an Azure Backup for AKS vulnerability after rejecting his record, and blockading a CVE from being issued.

The researcher’s record describes a vital privilege escalation flaw that allowed cluster-admin get entry to from the low-privileged “Backup Contributor” function.

Microsoft disputes the declare, telling BleepingComputer the habits was once anticipated and that “no product adjustments had been made,” regardless of the researcher documenting new permission tests and failed exploit makes an attempt after disclosure, suggestive of a silent patch.

CERT has the same opinion it is a computer virus, however Microsoft blocks CVE

Safety researcher Justin O’Leary came upon the protection flaw this March, and reported it to Microsoft on March 17.

Microsoft Safety Reaction Heart (MSRC) rejected the record on April 13, claiming the problem simplest concerned acquiring cluster-admin on a cluster the place “the attacker already held administrator get entry to,” a characterization O’Leary says misrepresents the assault fully.

“That is factually fallacious,” states the researcher.

“The vulnerability permits a person with 0 Kubernetes permissions to realize cluster-admin. The assault does no longer require current cluster get entry to — it grants it.”

O’Leary additional says that Microsoft described the submission to MITRE as “AI-generated content material,” one thing he says didn’t cope with the technical deserves of the record.

After the rejection, O’Leary escalated the problem to CERT Coordination Heart, which independently validated the vulnerability on April 16 and, in step with the researcher, assigned it an identifier, VU#284781:

CERT/CC had to begin with scheduled public disclosure for June 1, 2026, however that disclosure by no means took place.

On Would possibly 4, Microsoft workforce reportedly contacted MITRE recommending towards CVE task, once more arguing the problem required pre-existing administrative get entry to:

CERT/CC later closed the case underneath CNA hierarchy laws, successfully leaving Microsoft (which is a CNA) with ultimate authority over CVE issuance for its personal merchandise.

How the assault labored

Azure Backup for AKS makes use of Relied on Get right of entry to to grant backup extensions cluster-admin privileges within Kubernetes clusters.

Consistent with O’Leary, the flaw allowed any individual with simplest the Backup Contributor function on a backup vault to cause that Relied on Get right of entry to dating with out already having Kubernetes permissions.

An attacker may just permit backup on a goal AKS cluster, inflicting Azure to robotically configure Relied on Get right of entry to with cluster-admin privileges. From there, an attacker may just extract secrets and techniques thru backup operations or repair malicious workloads into the cluster.

O’Leary categorized the problem as a Puzzled Deputy vulnerability (CWE-441), the place Azure RBAC and Kubernetes RBAC agree with obstacles interacted in a fashion that bypassed anticipated authorization controls.

Microsoft says no adjustments made, habits says in a different way

BleepingComputer reached out to Microsoft to grasp if the tech large regarded as this discovering to be a legitimate safety vulnerability.

A Microsoft spokesperson instructed BleepingComputer:

“Our review concluded that this isn’t a safety vulnerability, however fairly anticipated habits that calls for pre-existing administrative privileges inside the buyer’s setting. Due to this fact, no product adjustments had been made to deal with this record and no CVE or CVSS ranking had been issued.”

Alternatively, following the disclosure of his record this month, O’Leary noticed that the unique assault trail now not works.

“Present habits returns mistakes that didn’t exist in March 2026,” he states:

ERROR: UserErrorTrustedAccessGatewayReturnedForbidden

“The Relied on Get right of entry to function binding is lacking/has gotten got rid of”

Consistent with O’Leary, Azure Backup for AKS now calls for Relied on Get right of entry to to be manually configured prior to backup can also be enabled, reversing the sooner habits the place Azure configured it robotically.

He additionally noticed further permission tests that had been absent all through his unique trying out in March. The vault MSI now calls for Reader permissions on each the AKS cluster and snapshot useful resource team, whilst the AKS cluster MSI calls for Contributor permissions at the snapshot useful resource team.

In different phrases, the vulnerability seems to had been mounted, however Microsoft has neither issued a public advisory nor notified consumers.

The visibility drawback for defenders

And not using a CVE or advisory, defenders have little visibility into the publicity window or remediation timeline.

“Organizations that granted Backup Contributor between an unknown get started date and Would possibly 2026 had been uncovered to privilege escalation,” writes the researcher.

“And not using a CVE, safety groups can’t monitor this publicity. Silent patching protects distributors, no longer consumers.”

The case highlights a structural drawback and not using a simple repair.

Disputes between safety researchers and primary distributors over severity, exploitability, and disclosure have grow to be commonplace in recent times, particularly as vulnerability disclosure techniques face expanding volumes of news.

Some open-source maintainers have additionally publicly complained that AI-assisted experiences are overwhelming computer virus bounty and safety triage programs, making it tougher for legit findings to obtain well timed consideration. Instances the place giant tech left out patching legitimate flaws regardless of repeated touch by means of other researchers aren’t unusual both.

And not using a framework that realigns incentives for all events, accountable disclosure dangers turning into a bureaucratic workout that serves nobody—least of the entire organizations left uncovered in the dead of night.