Full Report
Microsoft has addressed four security flaws impacting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center offerings, including one that it said has been exploited in the wild. The vulnerability that has been tagged with an "Exploitation Detected" assessment is CVE-2024-49035 (CVSS score: 8.7), a privilege escalation flaw in partner.microsoft[.]com. "An
Analysis Summary
# Vulnerability: Microsoft Security Updates Address Active Exploitation in Cloud and ERP Services
## CVE Details
- CVE ID: CVE-2024-49035
- CVSS Score: 8.7 (High)
- CWE: Improper Access Control
- **Other Linked CVEs/Scores:**
- CVE-2024-49038: CVSS 9.3 (Critical) - Cross-Site Scripting (XSS)
- CVE-2024-49052: CVSS 8.2 (High) - Missing Authentication for Critical Function
- CVE-2024-49053: CVSS 7.6 (High) - Spoofing
## Affected Systems
- **Products:**
- Partner Center (partner\[.\]microsoft\[.\]com)
- Microsoft Copilot Studio
- Microsoft Azure PolicyWatch
- Microsoft Dynamics 365 Sales (Android/iOS apps)
- **Versions:**
- Dynamics 365 Sales apps for Android and iOS (Prior to version 3.24104.15)
- **Configurations:** Primarily impacts online/cloud services components.
## Vulnerability Description
**CVE-2024-49035 (Actively Exploited):** This is an improper access control vulnerability within `partner.microsoft.com`. It allows an unauthenticated attacker to escalate privileges over a network against the service.
**CVE-2024-49038:** A Cross-Site Scripting (XSS) vulnerability in Copilot Studio that could allow an unauthorized attacker to escalate privileges over a network.
**CVE-2024-49052:** A missing authentication for a critical function in Microsoft Azure PolicyWatch, potentially allowing an unauthorized attacker to escalate privileges over a network.
**CVE-2024-49053:** A spoofing vulnerability in Microsoft Dynamics 365 Sales that allows an authenticated attacker to redirect a victim to a malicious site by tricking them into clicking a specially crafted URL.
## Exploitation
- **Status (CVE-2024-49035):** Exploited in the wild ("Exploitation Detected"). Specific exploitation details were not publicly disclosed by Microsoft.
- **Status (Other CVEs):** Not explicitly mentioned as exploited in the wild, but all are privilege escalation or high-impact flaws.
- **Complexity:** Low (for CVE-2024-49035 as it requires no authentication). Network attack vector implied for most remote flaws.
- **Attack Vector:** Network (Implied for remote privilege escalation/XSS flaws).
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2024-49035** | High (Due to elevation of privilege) | High (Due to elevation of privilege) | Unknown/Potential |
| **CVE-2024-49038** | High (Due to elevation of privilege) | High (Due to elevation of privilege) | Unknown/Potential |
| **CVE-2024-49052** | High (Due to elevation of privilege) | High (Due to elevation of privilege) | Unknown/Potential |
| **CVE-2024-49053** | Potential Redirect (Phishing/Spoofing) | High (Impersonation/Redirection) | Low |
## Remediation
### Patches
- Fixes for CVE-2024-49035, CVE-2024-49038, and CVE-2024-49052 are being rolled out automatically as part of updates to the online version of **Microsoft Power Apps** and related cloud services. No specific user action is immediately required for these cloud fixes.
### Workarounds
- **For CVE-2024-49053 (Dynamics 365 Sales Spoofing):** Users are advised to update **Dynamics 365 Sales apps for Android and iOS** to the latest version, **3.24104.15**, to secure against this flaw.
## Detection
- **Indicators of Compromise (IoCs):** No specific IoCs or threat intelligence on the nature of the active exploitation of CVE-2024-49035 were provided in the summary.
- **Detection Methods and Tools:** Monitoring access control logs related to the Partner Center environment might reveal unusual activity following exploits against CVE-2024-49035. Reviewing network traffic for suspicious XSS payloads targeting Copilot Studio (CVE-2024-49038).
## References
- Microsoft Security Update Guide (Specific guidance should reference the official MSRC advisory corresponding to these CVEs).
- Vendor advisory released this week detailing fixes.