Back

Microsoft Silent Patch for Azure Backup Vulnerability Raises Concerns

Severity: High (Score: 66.0)

Sources: olearysec.com, cwe.mitre.org, Bleepingcomputer, learn.microsoft.com

Summary

A critical privilege escalation vulnerability in Azure Backup for AKS was discovered by researcher Justin O'Leary in March 2026, allowing users with the 'Backup Contributor' role to gain cluster-admin access without prior permissions. Microsoft rejected the vulnerability report, claiming it required existing administrator access, a statement O'Leary disputes. CERT/CC validated the vulnerability as VU#284781 on April 16, 2026, but Microsoft later recommended against issuing a CVE. On May 12, 2026, O'Leary confirmed that Microsoft had silently patched the vulnerability, which now requires manual configuration for Trusted Access. The lack of a CVE means organizations that had the vulnerable role assigned remain unaware of their exposure. The vulnerability is classified as a Confused Deputy vulnerability (CWE-441), affecting Azure Backup for AKS systems. Key Points: • A privilege escalation flaw in Azure Backup for AKS allows unauthorized cluster-admin access. • Microsoft rejected the vulnerability report, claiming it required existing admin access, which is incorrect. • The vulnerability was silently patched, raising concerns about transparency and customer protection.

Key Entities

  • Data Breach (attack_type)
  • Privilege Escalation (attack_type)
  • CWE-269 - Improper Privilege Management (cwe)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • Azure (company)
  • Kubernetes (platform)
  • Confused Deputy (vulnerability)
  • Confused Deputy Vulnerability (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed