Agents
Microsoft Rejects Azure Backup for AKS Privilege Escalation Report, Refuses CVE Despite Silent Fix
A security researcher documented a critical privilege escalation flaw allowing cluster-admin access from the low-privileged 'Backup Contributor' role in Azure Backup for AKS. Microsoft rejected the report, claiming the behavior required pre-existing administrative access, then quietly fixed the issue without issuing a CVE. CERT/CC assigned VU#284781 but closed the case under CNA hierarchy rules, leaving Microsoft (as its own CNA) with final authority over CVE issuance for its products. Without a CVE or advisory, security teams cannot track the exposure window for organizations that granted Backup Contributor between an unknown start date and May 2026.
↳ Follow the thread