Security researcher Justin O'Leary discovered a critical privilege escalation vulnerability in Azure Backup for AKS that allowed a user with only the Backup Contributor role to gain cluster-admin access via a Confused Deputy flaw (CWE-441). Microsoft rejected the report, claiming it required pre-existing admin access — a characterization O'Leary disputes. CERT/CC independently validated the bug but was unable to issue a CVE due to CNA hierarchy rules that give Microsoft final authority over CVE issuance for its own products. Despite Microsoft stating 'no product changes were made,' O'Leary documented that the original attack path no longer works and new permission checks now exist, suggesting a silent patch. The case raises concerns about vendor-controlled CVE processes leaving defenders without visibility into exposure windows.
Table of contents
CERT agrees it's a bug, but Microsoft blocks CVEHow the attack workedMicrosoft says no changes made, behavior says otherwiseThe visibility problem for defendersThe Validation Gap: Automated Pentesting Answers One Question. You Need Six.Sort: