The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory on February 25, 2025, confirming that threat actors are actively exploiting a critical privilege escalation vulnerability in Microsoft’s Partner Center platform (CVE-2024-49035).
The improper access control flaw, which allows unauthenticated attackers to gain elevated network privileges, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following evidence of in-the-wild abuse.
Microsoft initially disclosed the vulnerability in November 2024, assigning it a CVSS score of 8.7. However, the National Vulnerability Database later rated it 9.8 out of 10 due to its low attack complexity and high impact on confidentiality and integrity.
Vulnerability Details and Exploitation
CVE-2024-49035 originates from improper privilege management in the Microsoft Partner Center portal (partner.microsoft.com), a hub for managing cloud services, licenses, and customer accounts.
Attackers can exploit the flaw without authentication to escalate privileges, potentially accessing sensitive data, deploying malicious payloads, or moving laterally across networks.
While Microsoft has not disclosed specifics about ongoing attacks, CISA emphasized its severity, noting such vulnerabilities are “frequent attack vectors” for cybercriminals. Security researchers Gautam Peri, Apoorv Wadhwa, and an anonymous contributor identified the flaw, though their findings did not initially trigger public exploit reports.
Microsoft has automatically rolled out patches to the Power Apps online service underpinning Partner Center, assuring users that no manual intervention is required.
However, CISA mandated Federal Civilian Executive Branch agencies to apply updates by March 18, 2025, urging private-sector organizations to follow suit.
Recommended measures include enforcing network segmentation, auditing access controls, and adopting zero-trust principles to limit lateral movement.
The exploitation of CVE-2024-49035 highlights persistent risks in widely used enterprise platforms. Unlike the simultaneous Zimbra XSS flaw (CVE-2023-34192) also added to the KEV catalog, this Microsoft vulnerability affects a central partner ecosystem, amplifying potential supply chain compromises.
Its linkage to Microsoft Power Apps raises concerns about shared infrastructure risks, though the company maintains the issue is confined to the online service.
Organizations are advised to monitor Microsoft’s advisories and implement CISA’s Binding Operational Directive 22-01 guidelines for cloud services.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free