Cyber Resilience

CVE-2023-32052

Medium

Published: 11 July 2023

Published
11 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0054 68.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32052 is a medium-severity SSRF (CWE-918) vulnerability in Microsoft Power Apps. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Power Apps (online) contains a spoofing vulnerability tracked as CVE-2023-32052 and assigned CWE-918. The flaw received a CVSS 3.1 base score of 5.4 reflecting network attack vector, low attack complexity, and low privileges required, with partial impact to confidentiality and integrity but no availability effect.

An authenticated user with low privileges can send crafted requests that cause the Power Apps service to perform unauthorized actions on the attacker's behalf, enabling limited spoofing of requests or data. No user interaction is needed, and the attack can be launched remotely over the network.

The official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32052 provides the authoritative guidance on available updates or configuration changes. Exploitation probability remained low after the July 2023 disclosure but rose materially to a peak of 0.0741 in January 2025 before receding to the current value of 0.0054, indicating a period of increased interest well after public release.

EU & UK References

Vulnerability details

Microsoft Power Apps (online) Spoofing Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
power apps
≤ 9.2.23042

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References