EUVD-2025-17028

| CVE-2025-47966 CRITICAL
2025-06-05 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-17028
CVE Published
Jun 05, 2025 - 21:15 nvd
CRITICAL 9.8

Tags

Information Disclosure Power Automate For Desktop

Description

Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.

Analysis

Critical information disclosure vulnerability in Microsoft Power Automate that allows unauthenticated remote attackers to expose sensitive information and escalate privileges across a network without requiring user interaction. With a CVSS score of 9.8 and an unauthenticated attack vector, this vulnerability represents an immediate and severe risk to organizations using Power Automate; exploitation is likely being actively pursued given the severity metrics and network-accessible nature of the vulnerability.

Technical Context

This vulnerability exists in Microsoft Power Automate, a cloud-based workflow automation platform integrated within Microsoft 365 and Dynamics 365 ecosystems. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper access controls or information leakage mechanisms in the platform's API, authentication layer, or data handling routines. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), suggesting the flaw does not require sophisticated exploitation techniques or knowledge of dynamic system conditions. Power Automate manages sensitive data flows including credentials, API tokens, and business logic—making information disclosure in this platform particularly dangerous for privilege escalation chains.

Affected Products

Microsoft Power Automate (all versions subject to official vendor guidance—specific version ranges should be confirmed from Microsoft Security Update Guide). The vulnerability affects Power Automate cloud service instances and any on-premises or hybrid deployments that expose the affected components. Related affected products may include Microsoft Dynamics 365 and Microsoft 365 applications that integrate with Power Automate workflow services. CPE data would typically be: cpe:2.3:a:microsoft:power_automate:*:*:*:*:*:*:*:* with version constraints pending official advisory release.

Remediation

1) Apply the latest security patch released by Microsoft for Power Automate through the Microsoft Update Catalog or automatic deployment in Microsoft 365 admin center. 2) If patch details are available in Microsoft Security Update Guide, prioritize updates for affected versions immediately—treat as critical/emergency patching. 3) Temporary mitigations: restrict access to Power Automate APIs and management endpoints via network-level controls (WAF, conditional access policies) while awaiting patches. 4) Review and revoke any API connections, shared flows, or service accounts that may have been compromised or accessed during exploitation window. 5) Enable enhanced audit logging for Power Automate activities and review access logs for unauthorized API calls or data exfiltration patterns. 6) Consult Microsoft Security Advisory (MSRC) and Power Automate product security documentation for official patch availability and deployment guidance.

Priority Score

51
Low Medium High Critical
KEV: 0
EPSS: +1.8
CVSS: +49
POC: 0

Share

EUVD-2025-17028 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy