A security researcher has accused Microsoft of silently patching a serious vulnerability in Azure Backup for AKS after dismissing his report and preventing the assignment of a CVE. The flaw reportedly allowed attackers with the low-privileged “Backup Contributor” role to escalate privileges to cluster-admin. Microsoft denies the claim, stating that the observed behavior was by design and that “no product changes were made.” However, the researcher documented the addition of new permission checks and the failure of his exploit attempts following disclosure, indicating a quiet fix. CERT considers it a legitimate bug, but Microsoft has blocked the issuance of a CVE. Security researcher Justin O’Leary found the vulnerability this March and reported it to Microsoft on March 17. The Microsoft Security Response Center (MSRC) dismissed the report on April 13, stating that the flaw only allowed an attacker to obtain cluster-admin privileges on a cluster where they already had administrator access — a description O’Leary says completely misrepresents the issue. „This is factually incorrect,“ the researcher said. „The vulnerability lets a user with zero Kubernetes permissions escalate to cluster-admin.“ The attack requires no prior cluster access — it provides it instead. O’Leary adds that Microsoft labeled the submission to MITRE as „AI-generated content,“ which he says failed to engage with the technical substance of the report. Following the rejection, O’Leary referred the matter to the CERT Coordination Center, which independently confirmed the vulnerability on April 16 and, per the researcher, assigned it the identifier VU#284781. CERT/CC assigns the vulnerability a tracking ID and a coordinated disclosure date. (Justin O’Leary) CERT/CC had originally planned to disclose the issue publicly on June 1, 2026, but that disclosure never occurred. On May 4, Microsoft employees reportedly reached out to MITRE and advised against assigning a CVE, once again contending that the vulnerability required administrative access to begin with. Microsoft advises MITRE against issuing a CVE.
BleepingComputer