Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score

Microsoft has released patches to address two Critical-rated security flaws impacting Azure AI Face Service and Microsoft Account that could allow a malicious actor to escalate their privileges under certain conditions.

The flaws are listed below –

• CVE-2025-21396 (CVSS score: 7.5) – Microsoft Account Elevation of Privilege Vulnerability
• CVE-2025-21415 (CVSS score: 9.9) – Azure AI Face Service Elevation of Privilege Vulnerability

“Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network,” Microsoft in an advisory for CVE-2025-21415, crediting an anonymous researcher for reporting the flaw.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

CVE-2025-21396, on the other hand, stems from a case of missing authorization that could permit an unauthorized attacker to elevate privileges over a network. A security researcher who goes by the alias Sugobet has been acknowledged for discovering it.

The tech giant also noted that it’s aware of the existence of a proof-of-concept (PoC) exploit code for CVE-2025-21415, adding both vulnerabilities have been fully mitigated. The shortcomings require no customer action.

The advisories are part of Microsoft’s ongoing efforts to improve transparency by issuing CVEs for critical cloud service vulnerabilities, irrespective of whether customers need to install a patch or take other actions to secure themselves.

“As our industry matures and increasingly migrates to cloud-based services, we must be transparent about significant cybersecurity vulnerabilities that are found and fixed,” it noted back in June 2024.

“By openly sharing information about vulnerabilities that are discovered and resolved, we enable Microsoft and our partners to learn and improve. This collaborative effort contributes to the safety and resilience of our critical infrastructure.”

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.