Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Critical information disclosure vulnerability in Microsoft Power Automate that allows unauthenticated remote attackers to expose sensitive information and escalate privileges across a network without requiring user interaction. With a CVSS score of 9.8 and an unauthenticated attack vector, this vulnerability represents an immediate and severe risk to organizations using Power Automate; exploitation is likely being actively pursued given the severity metrics and network-accessible nature of the vulnerability.
Technical ContextAI
This vulnerability exists in Microsoft Power Automate, a cloud-based workflow automation platform integrated within Microsoft 365 and Dynamics 365 ecosystems. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper access controls or information leakage mechanisms in the platform's API, authentication layer, or data handling routines. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), suggesting the flaw does not require sophisticated exploitation techniques or knowledge of dynamic system conditions. Power Automate manages sensitive data flows including credentials, API tokens, and business logic—making information disclosure in this platform particularly dangerous for privilege escalation chains.
RemediationAI
- Apply the latest security patch released by Microsoft for Power Automate through the Microsoft Update Catalog or automatic deployment in Microsoft 365 admin center. 2) If patch details are available in Microsoft Security Update Guide, prioritize updates for affected versions immediately—treat as critical/emergency patching. 3) Temporary mitigations: restrict access to Power Automate APIs and management endpoints via network-level controls (WAF, conditional access policies) while awaiting patches. 4) Review and revoke any API connections, shared flows, or service accounts that may have been compromised or accessed during exploitation window. 5) Enable enhanced audit logging for Power Automate activities and review access logs for unauthorized API calls or data exfiltration patterns. 6) Consult Microsoft Security Advisory (MSRC) and Power Automate product security documentation for official patch availability and deployment guidance.
More in Power Automate For Desktop
View allExposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose i
Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.
Microsoft Power Automate Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no a
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17028