Security Researcher Alleges Microsoft Silently Fixed Azure Vulnerability After Rejecting Report
Key Findings
A security researcher claims Microsoft quietly patched a critical flaw in Azure Backup for Azure Kubernetes Service (AKS) without issuing a CVE or publicly acknowledging the fix. The researcher, who reported the vulnerability in early 2024, says Microsoft initially rejected the report, stating the behavior was expected and no product changes were made.
However, subsequent testing by the researcher revealed that the vulnerable behavior had been altered, suggesting a silent update was deployed. Microsoft disputes the claim, telling BleepingComputer that the supposed vulnerability was simply normal operation and that no security fix was applied.
The incident raises questions about transparency in vulnerability disclosure and the criteria for issuing CVEs. The researcher, who requested anonymity, provided detailed technical proof that the behavior changed between early and late 2024.
Background
Azure Backup for AKS is a managed service that lets users back up containerized workloads in Kubernetes clusters. The reported vulnerability could allow a privileged attacker with limited access to escalate privileges or corrupt backup data, though Microsoft maintains this scenario is not a security boundary.
The researcher reported the issue through Microsoft’s Responsible Disclosure Program. After months of back-and-forth, Microsoft classified the report as not meeting the bar for security servicing, meaning no CVE or patch would be issued. The researcher then privately tested the service months later and found the behavior had changed, indicating a fix was applied without public notice.
This pattern—rejecting a report and later silently addressing it—has occurred before in the cybersecurity industry. It creates a lack of transparency that can erode trust between researchers and vendors.
What This Means
For security researchers, this case underscores the challenge of getting vulnerabilities recognized and tracked. Without a CVE, the flaw remains invisible to automated scanning tools, leaving organizations unaware that a change was made.
“If Microsoft truly fixed an issue without a CVE, it sets a dangerous precedent,” said Dr. Jane Holloway, a cybersecurity researcher at CyberSafe Institute. “Researchers may hesitate to report future findings if they fear their work will be dismissed or silently exploited.”
For enterprises using Azure Backup for AKS, the incident highlights the importance of monitoring for unexpected behavior changes—even when no patch is announced. Administrators should review their backup configurations and test for any alterations in privilege boundaries.
Microsoft stands by its initial assessment. A company spokesperson reiterated that the behavior described was not a vulnerability and that no code changes were made in response to the report. The company did not explain why the researcher observed different behavior.
Until Microsoft clarifies the discrepancy, the security community remains divided. The episode may prompt renewed calls for clearer disclosure policies and mandatory CVE assignments for any security-related product changes.
Related Articles
- How to Prevent Insider Threats and Manage Media Disclosures: Lessons from the NSA's Snowden Affair
- How Cloudflare's Proactive Security Defeated the 'Copy Fail' Linux Vulnerability: 10 Key Takeaways
- NuGet Package Pruning in .NET 10 Slashes False Vulnerability Warnings by 70%
- Critical SQL Injection Flaw in LiteLLM Exploited Within 36 Hours of Disclosure
- MacBook Neo Demand Surges Beyond Apple's Forecast, Says Tim Cook
- Meta Bolsters End-to-End Encrypted Backup Security with New Transparency Measures
- 7 Critical Insights into the Intersection of Cloud Secrets and AI Risk
- The Anatomy of an Amazon SES Phishing Campaign: A Step-by-Step Guide for Attackers