Microsoft has pushed patches for a trio of critical Azure vulnerabilities including a maximum CVSS 10 bug in the self-hosted DevOps Server suite and a CVSS 9.9 bug in its Azure Automation cloud management service.

The trio of critical Azure vulnerabilities (CVE-2025-29827, CVE-2025-29813, CVE-2025-29972) have all been patched by Microsoft with no user interaction required. None are known to have been exploited in the wild and all were found during internal testing, Redmond said. 

It is disclosing them as part of a June 2024 commitment to publish CVEs for cloud vulnerabilities – the failure of hyperscalers to do so was long a bugbear of security researchers – even if no customer action is required. 

See earlier: Microsoft mauled over fresh cross-tenant vulnerability

The vulnerabilities were disclosed as part of May’s Patch Tuesday, which saw fixes pushed for five known-exploited vulnerabilities; all Elevation of Privilege (EOP) and all falling much lower on the criticality scale. 

One of the known-exploited bugs, CVE-2025-30397 , uses Internet Explorer (IE) for access three years after its retirement. 

Attackers need their victim to click a “specially crafted link” which allows them to force use of Microsoft Edge in “Internet Explorer” mode.

They then get full remote code execution over the network via the vulnerability, which is in Edge’s scripting engine. A CVSS rating of 7.5  could "disguise the potential impact” warned security firm Rapid7. 

While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can also be used by other legacy applications. Updates to address vulnerabilities in the MSHTML platform and scripting engine are included in the IE Cumulative Updates; EdgeHTML and Chakra changes are not applicable to those platforms. - Microsoft. 

See also: 1,100 systems popped as CVSS 10 SAP NetWeaver bug exploited

Rapid7 Researchers said: "Users who are most likely to require Internet Explorer compatibility mode in 2025 are surely users at enterprise organizations, where critical business workflows still depend on applications from the dinosaur days when Internet Explorer ruled the roost."

Given Microsoft has pledged to offer IE compatibility until at least 2029, and the affected MSHTML/Trident scripting engine is still present even in Windows versions released after IE's retirement in 2022, the flaw is more of a risk then it may first seem, as researchers at the Zero Day Initiative (ZDI) said: "the ghost of IE continues to haunt us all."

EoP bugs reign

Other zero days fixed by Microsoft included four elevation of privilege  (EOP) vulnerabilities, all rated below Critical as "Important" due to the need for existing access, though three allow EOP up to SYSTEM, a trend seen frequently in recent zero days.

Two of those, CVE-2025-32701 and CVE-2025-32706, are flaws with the Windows Common Log File Driver System (CLFS) allowing attackers to gain SYSTEM privileges, "usually paired with a code execution bug" that has often been used by ransomware gangs, said ZDI researchers.

Notably, these follow a CLFS zero-day disclosed in April that was being used for ransomware attacks on organisation in the US, Saudi Arabia, Spain and Venezuela.

An EOP flaw with Microsoft DWM Core Library, its first exploit "in some time" according to ZDI, also allowed attackers to elevate up to SYSTEM, while a vulnerability with Windows Ancillary Function Driver for WinSock broke the trend, leading to just administrator privileges, though still a threat to any system breached.

Elsewhere in Microsoft's update it disclosed 12 Critical rated vulnerabilities, including a CVSS 10 rated EOP vulnerability, CVE-2025-29813 , affecting Azure DevOps, but given a fix has already been implemented, developers mercifully don't have much to worry about.

The critical vulnerabilities also included six remote code execution flaws with Microsoft Dataverse, Office, Virtual Machine Bus, and Remote Desktop, though none of which have been seen in the wild, Microsoft said.

The link has been copied!