CVE-2025-26628: Azure Local Cluster Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Apr

Released

2025-04-08

EPSS Score

0.57% (percentile: 68.8%)

Description

Insufficiently protected credentials in Azure Local Cluster allows an authorized attacker to disclose information locally.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is device information such as a token, credentials, resource ids, sas tokens, user properties, and other sensitive information. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), and some loss of availability (A:L). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could view sensitive information, such as a token and credential in this scenario (Confidentiality) and make changes to disclosed information (Integrity), and they might be able to force a crash within the service (Availability).

Affected Products (1)

Azure

• Azure Local Cluster

Security Updates (1)

• Release Notes

Acknowledgments

Vani Nadh Koyi with Microsoft, Vijay Chegu with Microsoft, Dan DeFolo with Microsoft

Revision History

• 2025-04-08: Information published.