CVE-2024-49035

Partner.Microsoft.Com Elevation of Privilege Vulnerability

CVSS 8.7 HIGHEPSS 1.3%● KEVCWE-269

Vexday Risk Score

51Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.7EPSS 1.3%KEV simPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

26 Nov 2024Published on NVD

25 Feb 2025Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

An attacker without an account can gain unauthorized higher-level access on Partner.Microsoft.com over the network. This is dangerous because it allows them to perform actions they shouldn't be allowed to do, potentially accessing sensitive partner information or making unauthorized changes.

Technical detail

An improper access control vulnerability (CWE-269) in Partner.Microsoft.com permits unauthenticated remote attackers to escalate privileges without authentication. The vulnerability stems from insufficient validation of access permissions, enabling attackers to perform operations reserved for authenticated or higher-privileged users.

Summary generated and translated by AI from the official description.

An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C

Affected products

Microsoft · Microsoft Partner Center

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49035 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-49035