CVE-2025-25002: Azure Local Cluster Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.8)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Apr

Released

2025-04-08

EPSS Score

1.31% (percentile: 79.8%)

Description

Insertion of sensitive information into log file in Azure Local Cluster allows an authorized attacker to disclose information over an adjacent network.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is user tokens and other potentially sensitive information. According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

Affected Products (1)

Azure

• Azure Local Cluster

Security Updates (1)

• Release Notes

Acknowledgments

Alex Stanescu with Microsoft, Derek Chu and Alex Stanescu with Microsoft

Revision History

• 2025-04-08: Information published.