Skip to main content

Power Automate For Desktop CVE-2025-47966

| EUVDEUVD-2025-17028 CRITICAL
Information Exposure (CWE-200)
2025-06-05 secure@microsoft.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-17028
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
CVE Published
Jun 05, 2025 - 21:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Critical information disclosure vulnerability in Microsoft Power Automate that allows unauthenticated remote attackers to expose sensitive information and escalate privileges across a network without requiring user interaction. With a CVSS score of 9.8 and an unauthenticated attack vector, this vulnerability represents an immediate and severe risk to organizations using Power Automate; exploitation is likely being actively pursued given the severity metrics and network-accessible nature of the vulnerability.

Technical ContextAI

This vulnerability exists in Microsoft Power Automate, a cloud-based workflow automation platform integrated within Microsoft 365 and Dynamics 365 ecosystems. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper access controls or information leakage mechanisms in the platform's API, authentication layer, or data handling routines. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), suggesting the flaw does not require sophisticated exploitation techniques or knowledge of dynamic system conditions. Power Automate manages sensitive data flows including credentials, API tokens, and business logic—making information disclosure in this platform particularly dangerous for privilege escalation chains.

RemediationAI

  1. Apply the latest security patch released by Microsoft for Power Automate through the Microsoft Update Catalog or automatic deployment in Microsoft 365 admin center. 2) If patch details are available in Microsoft Security Update Guide, prioritize updates for affected versions immediately—treat as critical/emergency patching. 3) Temporary mitigations: restrict access to Power Automate APIs and management endpoints via network-level controls (WAF, conditional access policies) while awaiting patches. 4) Review and revoke any API connections, shared flows, or service accounts that may have been compromised or accessed during exploitation window. 5) Enable enhanced audit logging for Power Automate activities and review access logs for unauthorized API calls or data exfiltration patterns. 6) Consult Microsoft Security Advisory (MSRC) and Power Automate product security documentation for official patch availability and deployment guidance.

Share

CVE-2025-47966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy