Critical Azure Backup for AKS Privilege‑Escalation Flaw Blocked from CVE Assignment
What Happened — A security researcher disclosed a critical privilege‑escalation vulnerability in Azure Backup for Azure Kubernetes Service (AKS) that lets a user with the low‑privileged “Backup Contributor” role obtain full cluster‑admin rights. Microsoft rejected the report, claimed the behavior was expected, and prevented a CVE from being issued despite independent validation by CERT/CC.
Why It Matters for TPRM —
- Un‑mitigated privilege‑escalation bugs can give third‑party vendors or service‑provider staff unintended admin access to customer workloads.
- Lack of a public CVE hampers risk‑scoring and vulnerability‑management processes for organizations that rely on Azure services.
- Silent patches or undocumented changes create blind spots in supply‑chain risk assessments.
Who Is Affected — Cloud‑infrastructure providers, SaaS platforms built on Azure AKS, and any organization that uses Azure Backup for AKS (across finance, healthcare, technology, and other sectors).
Recommended Actions —
- Review contracts and security clauses with Microsoft Azure regarding vulnerability disclosure and CVE issuance.
- Verify that Azure Backup for AKS RBAC settings in your environment enforce least‑privilege principles.
- Add this CVE‑gap to your vulnerability‑management backlog and monitor Microsoft’s advisories for an official patch.
Technical Notes — The flaw stems from Azure Trusted Access automatically granting cluster‑admin privileges when a backup operation is enabled. An attacker with only the Backup Contributor role can trigger this, achieving a “confused deputy” (CWE‑441) condition that bypasses Kubernetes RBAC. No CVE was assigned; CERT/CC labeled it VU#284781. Source: BleepingComputer