Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power Apps platform that could allow attackers to escalate privileges, perform spoofing attacks, or access sensitive information.

Security researchers discovered these high-severity flaws, with one receiving a maximum CVSS score of 10.0, underscoring the potential impact on enterprise environments.

The most severe vulnerability, CVE-2025-29813, received a perfect CVSS score of 10.0 and affects Azure DevOps pipelines.

The flaw stems from improper handling of pipeline job tokens within Visual Studio.

Attackers with initial access to a project could exploit this vulnerability to swap short-term pipeline tokens for long-term ones, effectively extending their access and privileges within the environment.

“An attacker who successfully exploited this vulnerability could extend their access to a project,” Microsoft explained in its security bulletin. The vulnerability has been classified under CWE-302 (Authentication Bypass by Assumed-Immutable Data).

Azure DevOps Pipeline Token Vulnerability

Alongside ...