CVE-2025-26683
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26683 is an improper authorization vulnerability (CWE-285) in Azure Playwright that enables privilege escalation. It affects the Azure Playwright component, where flawed authorization checks allow unauthorized access. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), reflecting its network-based attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
An unauthorized attacker can exploit this vulnerability over a network by leveraging the improper authorization mechanism to elevate privileges. Exploitation requires high complexity but no prior access or user involvement, potentially granting the attacker full control over affected systems, including unauthorized data access, modification, and disruption.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26683 provides details on mitigation and patching guidance for this vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Improper authorization vulnerability enables network-based exploitation for privilege escalation (T1068) in a public-facing Azure service (T1190).