Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities
Microsoft published several critical security advisories affecting cloud and AI services, including Azure Cloud Shell, Azure DevOps, Azure Data Factory, Microsoft Copilot, M365 Copilot, Microsoft 365 Copilot BizChat, Microsoft Bing, and Bing Images. The issues span elevation of privilege, information disclosure, tampering, and remote code execution, with listed weakness classes including SSRF (CWE-918), insufficiently protected credentials (CWE-522), sensitive information exposure (CWE-200), and command injection (CWE-77/CWE-78). Several advisories state that the vulnerabilities require no customer action to resolve, indicating Microsoft-managed remediation for affected online services.
The most severe disclosures include CVE-2026-32169 in Azure Cloud Shell with a CVSS 10.0 elevation-of-privilege rating, CVE-2026-32191 in Microsoft Bing Images with a CVSS 9.8 remote code execution rating, and high-impact flaws in Azure DevOps (CVE-2026-23658), Azure Data Factory (CVE-2026-23659), and Microsoft 365 Copilot BizChat (CVE-2026-26137). Separate advisories also cover information disclosure in Microsoft Copilot (CVE-2026-26136) and M365 Copilot (CVE-2026-24299), plus a tampering flaw in Microsoft Bing (CVE-2026-26120). A separate report on the RegPwn Windows Registry privilege-escalation bug (CVE-2026-24291) describes a different issue in Windows accessibility and Secure Desktop handling and is not part of the same Microsoft cloud-service disclosure set.
Timeline
Apr 23, 2026
Microsoft discloses Microsoft Bing remote code execution flaw
Microsoft published a Security Update Guide entry for CVE-2026-33819, a remote code execution vulnerability affecting Microsoft Bing. This is a newly disclosed Bing vulnerability separate from the Bing issue previously recorded on 2026-03-19.
Apr 2, 2026
Microsoft discloses Azure SRE Agent information disclosure flaw
Microsoft published a Security Update Guide entry for CVE-2026-32173, an information disclosure vulnerability affecting Azure SRE Agent. This adds a newly disclosed Azure product vulnerability not previously captured in the timeline.
Apr 2, 2026
Microsoft discloses Azure MCP Server information disclosure flaw
Microsoft published a Security Update Guide entry for CVE-2026-32211, an information disclosure vulnerability affecting Azure MCP Server. This disclosure adds a new affected product and CVE not previously captured in the timeline.
Mar 20, 2026
dCERT issues advisory on Microsoft 365 Copilot multiple vulnerabilities
dCERT published Advisory 2026-0778 covering multiple vulnerabilities in Microsoft 365 Copilot. The advisory followed Microsoft's disclosures and highlights the Copilot-related issues as a grouped security concern.
Mar 19, 2026
Microsoft discloses multiple cloud and Copilot vulnerabilities
Microsoft published Security Update Guide entries for several vulnerabilities affecting Azure DevOps, Azure Cloud Shell, Azure Data Factory, Microsoft Copilot, Microsoft 365 Copilot, Microsoft 365 Copilot BizChat, Microsoft Bing, and Microsoft Bing Images. The disclosed issues included elevation of privilege, information disclosure, tampering, and remote code execution vulnerabilities identified as CVE-2026-23658, CVE-2026-26136, CVE-2026-32169, CVE-2026-23659, CVE-2026-26137, CVE-2026-32191, CVE-2026-26120, and CVE-2026-24299.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
5 more from sources like msrc security advisories
Related Stories
Microsoft Discloses Elevation of Privilege Flaws in MMC, Partner Center, and Microsoft 365 Copilot
Microsoft published security advisories for three **elevation of privilege** vulnerabilities affecting **Microsoft Management Console**, **Microsoft Partner Center**, and **Microsoft 365 Copilot**. The issues are tracked as `CVE-2026-27914`, `CVE-2026-24303`, and `CVE-2026-33102`, respectively, and were added to the Microsoft Security Update Guide as separate product-specific flaws. The disclosures indicate that both on-premises administrative tooling and cloud-connected Microsoft services are affected by privilege-escalation weaknesses. While Microsoft did not provide public synopses in the referenced advisories, the listings identify the impacted products and classify each issue as an elevation of privilege vulnerability, signaling potential risk to administrators, partners, and enterprise users relying on those platforms.
1 weeks ago
Microsoft Fixes Privilege Escalation and Spoofing Flaws in Azure Databricks and Cloud Services
Microsoft disclosed three cloud-service vulnerabilities affecting **Azure Databricks**, **Microsoft Purview eDiscovery**, and **Microsoft Entra ID Entitlement Management**. The issues are tracked as **`CVE-2026-33107`**, an elevation-of-privilege flaw in Azure Databricks; **`CVE-2026-26150`**, an elevation-of-privilege flaw in Microsoft Purview eDiscovery; and **`CVE-2026-35431`**, a spoofing flaw in Microsoft Entra ID Entitlement Management. Microsoft published the advisories through its Security Update Guide, indicating that multiple enterprise cloud components required security attention at the same time. The affected products span analytics, compliance, and identity governance functions that are widely used in Microsoft-centric environments. While Microsoft provided limited public technical detail in the advisories, the vulnerability classifications indicate potential risks including unauthorized privilege gains in Databricks and Purview workflows, as well as identity or trust abuse scenarios involving Entra ID Entitlement Management. Organizations using these services should review the relevant Microsoft advisories, assess exposure in tenant configurations, and apply available mitigations or service updates through normal cloud security and change-management processes.
1 weeks ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
2 months ago