Multiple Microsoft Azure Vulnerabilities Enable Privilege Escalation
Germany's dCERT published two advisories covering multiple vulnerabilities in Microsoft Azure, with the later notice stating that the flaws can allow privilege escalation. The advisories identify Azure as the affected platform but provide no public synopsis, indicating only that several security issues were addressed across the cloud service.
The paired notices suggest an evolving disclosure in which Microsoft Azure vulnerabilities were first reported broadly and then updated with a more specific impact assessment tied to elevated privileges. Organizations using Azure should review the corresponding vendor guidance and remediation information for the affected services, prioritize patching, and assess whether exposed identities, roles, or cloud resources could be affected by unauthorized privilege gains.
Timeline
Apr 24, 2026
dCERT publishes Microsoft Cloud Products vulnerabilities advisory
dCERT issued Advisory 2026-1236 covering multiple vulnerabilities in Microsoft Cloud Products. No technical synopsis was provided in the reference.
Apr 15, 2026
dCERT reports Azure vulnerabilities enabling privilege escalation
dCERT published Advisory 2026-1077 on additional Microsoft Azure vulnerabilities, specifically noting that multiple flaws allow privilege escalation. This represents a new disclosed development beyond the earlier generic advisory.
Apr 7, 2026
dCERT publishes Azure multiple vulnerabilities advisory
dCERT issued Advisory 2026-0944 for Microsoft Azure covering multiple vulnerabilities. No further technical synopsis was provided in the reference.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Multiple Vulnerabilities Disclosed in Golang Go and Microsoft Azure Services
Germany's dCERT published advisories for multiple vulnerabilities affecting **Golang Go** and several **Microsoft Azure** services, including **Azure DevOps**, **Data Factory**, and **Cloud Shell**. The Go advisory states that multiple flaws could allow an unspecified attack, indicating potential security impact in applications or environments that rely on the language runtime and related components. A separate dCERT advisory reported multiple vulnerabilities in Microsoft's cloud platform components, expanding the scope of exposure to development, automation, and shell-access services in Azure. While technical details and exploit conditions were not provided in the advisories, the disclosures indicate that organizations using these technologies should review vendor guidance, identify affected deployments, and prioritize remediation once patches or mitigations are available.
3 weeks ago
Microsoft Fixes Privilege Escalation and Spoofing Flaws in Azure Databricks and Cloud Services
Microsoft disclosed three cloud-service vulnerabilities affecting **Azure Databricks**, **Microsoft Purview eDiscovery**, and **Microsoft Entra ID Entitlement Management**. The issues are tracked as **`CVE-2026-33107`**, an elevation-of-privilege flaw in Azure Databricks; **`CVE-2026-26150`**, an elevation-of-privilege flaw in Microsoft Purview eDiscovery; and **`CVE-2026-35431`**, a spoofing flaw in Microsoft Entra ID Entitlement Management. Microsoft published the advisories through its Security Update Guide, indicating that multiple enterprise cloud components required security attention at the same time. The affected products span analytics, compliance, and identity governance functions that are widely used in Microsoft-centric environments. While Microsoft provided limited public technical detail in the advisories, the vulnerability classifications indicate potential risks including unauthorized privilege gains in Databricks and Purview workflows, as well as identity or trust abuse scenarios involving Entra ID Entitlement Management. Organizations using these services should review the relevant Microsoft advisories, assess exposure in tenant configurations, and apply available mitigations or service updates through normal cloud security and change-management processes.
1 weeks ago
Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities
Microsoft published several **critical** security advisories affecting cloud and AI services, including **Azure Cloud Shell**, **Azure DevOps**, **Azure Data Factory**, **Microsoft Copilot**, **M365 Copilot**, **Microsoft 365 Copilot BizChat**, **Microsoft Bing**, and **Bing Images**. The issues span **elevation of privilege**, **information disclosure**, **tampering**, and **remote code execution**, with listed weakness classes including **SSRF** (`CWE-918`), **insufficiently protected credentials** (`CWE-522`), **sensitive information exposure** (`CWE-200`), and **command injection** (`CWE-77`/`CWE-78`). Several advisories state that the vulnerabilities **require no customer action to resolve**, indicating Microsoft-managed remediation for affected online services. The most severe disclosures include **CVE-2026-32169** in *Azure Cloud Shell* with a **CVSS 10.0** elevation-of-privilege rating, **CVE-2026-32191** in *Microsoft Bing Images* with a **CVSS 9.8** remote code execution rating, and high-impact flaws in *Azure DevOps* (**CVE-2026-23658**), *Azure Data Factory* (**CVE-2026-23659**), and *Microsoft 365 Copilot BizChat* (**CVE-2026-26137**). Separate advisories also cover information disclosure in *Microsoft Copilot* (**CVE-2026-26136**) and *M365 Copilot* (**CVE-2026-24299**), plus a tampering flaw in *Microsoft Bing* (**CVE-2026-26120**). A separate report on the **RegPwn** Windows Registry privilege-escalation bug (**CVE-2026-24291**) describes a different issue in Windows accessibility and Secure Desktop handling and is not part of the same Microsoft cloud-service disclosure set.
1 weeks ago