Microsoft Silently Patched a CVSS 9.9 Privilege Escalation in Azure Backup for AKS | OLearySecMicrosoft<br>Microsoft Silently Patched a CVSS 9.9 Privilege Escalation in Azure Backup for AKS<br>By Justin O'Leary<br>May 12, 2026<br>None (vendor rejected)<br>Published

9.9<br>CVSS 3.1 Base Score · Critical

Critical<br>In March 2026, I discovered a privilege escalation vulnerability in Azure Backup for AKS that allowed a user with only the &ldquo;Backup Contributor&rdquo; Azure role (zero Kubernetes permissions) to gain cluster-admin on any AKS cluster.<br>CERT/CC validated this finding as VU#284781 on April 16, 2026.<br>Microsoft rejected it, claiming the &ldquo;attacker already held administrator access.&rdquo; This was factually incorrect — the vulnerability grants cluster-admin, it does not require it.<br>On May 12, 2026, I confirmed Microsoft has silently patched the behavior without:<br>Assigning a CVE<br>Publishing a security advisory<br>Notifying affected customers<br>Media Coverage<br>BleepingComputer<br>May 16, 2026<br>"Microsoft rejected the vulnerability and asked Mitre not to give it a CVE. Despite its rejection, Microsoft silently patched the bug without disclosing it to customers."<br>Ax Sharma — Security researcher & journalist

Read Full Article →<br>Kim Zetter<br>May 12, 2026<br>Award-winning cybersecurity journalist, author of Countdown to Zero Day<br>"Researcher @olearysec found privilege-escalation vuln in Azure Backup for AKS and reported to @microsoft. CERT validated it but Microsoft rejected it and asked Mitre not to give it CVE. Then he says Microsoft silently patched it without telling users"<br>51 Retweets<br>128 Likes<br>13K Views<br>View on X →<br>CERT/CC Validation<br>CERT/CC independently validated this vulnerability and assigned VU#284781. The case was scheduled for public disclosure on June 1, 2026.

Microsoft&rsquo;s CVE Rejection<br>On May 4, 2026, Microsoft&rsquo;s Lisa Olson emailed MITRE recommending no CVE be assigned. The email contains a false claim that &ldquo;the attacker already held administrator access to the cluster.&rdquo;

This is factually incorrect. The vulnerability allows a user with zero Kubernetes permissions to gain cluster-admin. The attack does not require existing cluster access — it grants it.<br>Microsoft also claimed the report was &ldquo;AI-generated content&rdquo; — an ad hominem deflection that does not address the technical validity of the finding.<br>CERT/CC Case Closure<br>Two days later, on May 6, 2026, CERT/CC closed the case, citing CNA hierarchy rules.

The closure came despite CERT/CC having already validated the vulnerability and assigned VU#284781. The case remains marked as INACTIVE in VINCE:

Vulnerability Details<br>Azure Backup for AKS uses Trusted Access to grant the backup extension cluster-admin privileges. The vulnerability allowed a user with only Backup Contributor (an Azure RBAC role with zero Kubernetes permissions) to trigger this access grant.<br>Attack chain:<br>Attacker has Backup Contributor on backup vault (no K8s access)<br>Attacker enables backup on target AKS cluster<br>Azure auto-grants Trusted Access with cluster-admin<br>Attacker extracts secrets via backup or restores malicious workloads<br>This crossed the trust boundary between Azure RBAC and Kubernetes RBAC — a Confused Deputy vulnerability (CWE-441).<br>CVSS 3.1: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)<br>Evidence of Silent Patch<br>Current behavior returns errors that did not exist in March 2026:<br>ERROR: UserErrorTrustedAccessGatewayReturnedForbidden<br>"The Trusted Access role binding is missing/has gotten removed"<br>The system now requires Trusted Access to be manually configured before backup can be enabled — the opposite of the vulnerable behavior I reported.<br>Additional permission checks were also added:<br>Vault MSI now requires Reader role on the cluster<br>Vault MSI now requires Reader role on the snapshot resource group<br>AKS cluster MSI now requires Contributor role on the snapshot resource group<br>These validation checks did not exist during my original testing in March 2026. The original attack path is now blocked.<br>Timeline<br>DateEvent2026-03-17Reported to MSRC (Case 110827 / VULN-178608)2026-04-13MSRC rejected with false claim2026-04-14Submitted to CERT/CC2026-04-16CERT/CC validated as VU#2847812026-04-16CERT/CC scheduled public disclosure for 2026-06-012026-05-04Microsoft&rsquo;s Lisa Olson emails MITRE recommending no CVE2026-05-06CERT/CC closes case citing CNA hierarchy2026-05-12Confirmed silent patch via changed error behaviorWhy This Matters<br>The coordinated disclosure process failed:<br>CERT/CC validated the vulnerability<br>Microsoft patched without acknowledgment<br>No CVE was assigned<br>Customers were never notified<br>Organizations that granted Backup Contributor between an unknown start date and May 2026 were exposed to privilege escalation. Without a CVE, security teams cannot track this exposure.<br>Silent patching protects vendors, not customers.<br>References<br>MSRC Case: 110827<br>VULN ID: VULN-178608<br>CERT/CC: VU#284781 (closed)

Follow for upcoming disclosures:<br>Twitter<br>infosec.exchange