Microsoft Fixes AI, Cloud, and ERP Vulnerabilities Including One Exploited in Active Attacks

Microsoft has patched four security vulnerabilities affecting various services, with one actively exploited in attacks. The most critical issue is CVE-2024-49035, a privilege escalation flaw in partner.microsoft.com that allows unauthenticated attackers to elevate privileges.

The other patched vulnerabilities include:

  • CVE-2024-49038 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in Copilot Studio that could allow an unauthorized attacker to escalate privileges over a network
  • CVE-2024-49052 (CVSS score: 8.2) – A missing authentication for a critical function vulnerability in Microsoft Azure PolicyWatch that could allow an unauthorized attacker to escalate privileges over a network
  • CVE-2024-49053 (CVSS score: 7.6) – A spoofing vulnerability in Microsoft Dynamics 365 Sales that could allow an authenticated attacker to trick a user into clicking on a specially crafted URL and potentially redirect the victim to a malicious site

Most fixes are being deployed automatically through Microsoft Power Apps updates. However, Dynamics 365 Sales users need to update their mobile apps to version 3.24104.15 to protect against the spoofing vulnerability.

While Microsoft acknowledged the researchers who reported CVE-2024-49035, they haven’t provided details about its exploitation in the wild.

Share this article on social media:

Subscribe to Our Newsletter!

Stay on top of cybersecurity risks, evolving threats and industry news.

This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.