Microsoft Patches Critical Security Flaws, Including One Actively Exploited The company credited researchers Gautam Peri, Apoorv Wadhwa, and an anonymous contributor for reporting the issue

Microsoft has addressed four major security vulnerabilities affecting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center services. One of the vulnerabilities, identified as CVE-2024-49035 and carrying a severity score of 8.7, has already been exploited in the wild. This privilege escalation flaw in Microsoft's Partner Center platform allows attackers to gain unauthorized elevated access over a network. The company credited researchers Gautam Peri, Apoorv Wadhwa, and an anonymous contributor for reporting the issue but has not disclosed details of its real-world exploitation. Fixes for this vulnerability are being applied automatically.

In addition to CVE-2024-49035, Microsoft has resolved three other vulnerabilities. Two are classified as critical: CVE-2024-49038, a cross-site scripting (XSS) flaw in Copilot Studio with a severity score of 9.3, and CVE-2024-49052, a missing authentication issue in Microsoft Azure PolicyWatch rated at 8.2. Both could allow attackers to escalate privileges over a network. The third, CVE-2024-49053, is a spoofing vulnerability in Dynamics 365 Sales, with a score of 7.6. This flaw could enable attackers to redirect users to malicious websites via specially crafted URLs.

While most of these vulnerabilities have been automatically mitigated, Microsoft advises users of Dynamics 365 Sales apps on Android and iOS to update to version 3.24104.15 to protect against CVE-2024-49053. The company continues to roll out updates to safeguard its platforms, urging users to remain vigilant and apply recommended patches to maintain security.