CVE-2025-21380

CVE-2025-21380 is an improper access control vulnerability affecting Azure SaaS Resources. Published on January 9, 2025, it allows an authorized attacker to disclose information over a network. The vulnerability is associated with CWE-284 (Improper Access Control) and NVD-CWE-Other, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. Successful exploitation enables high-level disclosure of sensitive information, alongside potential high impacts to integrity and availability, such as unauthorized modifications or disruptions within the affected Azure SaaS Resources.

For mitigation details, including available patches and remediation steps, security practitioners should refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21380.