The ‘critical’ vulnerability in Microsoft’s partner program website can ‘pose significant risks,’ the U.S. cybersecurity agency says.
A “critical” vulnerability potentially affecting users of Microsoft’s partner program website has seen exploitation in cyberattacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed Tuesday.
The flaw (tracked at CVE-2024-49035) impacts Partner.Microsoft.com, and was initially disclosed in November 2024.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
Microsoft had previously marked the vulnerability as “exploited” in its online advisory. However, CISA disclosed Tuesday that based on “evidence of active exploitation,” the agency has now added the flaw to its catalog of exploited vulnerabilities.
CRN has reached out to Microsoft for comment.
The improper access control flaw can be exploited by a threat actor to elevate their privileges on a network — in this case, the Microsoft partner center website — without authentication, according to Microsoft.
Users of the partner center website, however, “do not need to take any action because releases are rolled out automatically over several days,” Microsoft said in the previous advisory about the vulnerability posted in November.
Microsoft had previously said in its advisory that the flaw only impacts the online version of Microsoft Power Apps.
The vulnerability has received a severity score of 9.8 out 10.0 from the National Vulnerability Database, making it a “critical” issue.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in its advisory posted online Tuesday.
