CVE-2025-29819: Windows Admin Center in Azure Portal Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.2)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Apr

Released

2025-04-08

Last Updated

2025-07-22

EPSS Score

1.36% (percentile: 80.2%)

Description

External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability includes unauthorized read-only access to the local file system.

Affected Products (2)

Azure

• Windows Admin Center in Azure Portal

Windows

• Windows Admin Center

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

Rodrigo D' Afonseca Silva, Pedro Henrique Pereira Souza, Lucas Luna Gomes Do Rosario, and Josè Acácio Dos Santos Costa, cjm00n, wh1tc with Kunlun Lab & Zhiniang Peng with HUST, Víctor A. Morales from GM Sectec, Inc.

Revision History

• 2025-04-08: Information published.
• 2025-04-22: Updated acknowledgment. This is an informational change only.
• 2025-07-22: Updated acknowledgment. This is an informational change only.