Cyber Resilience

CVE-2025-47158

Critical

Published: 18 July 2025

Published
18 July 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0054 68.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47158 is a critical-severity Authentication Bypass by Assumed-Immutable Data (CWE-302) vulnerability in Microsoft Azure Devops. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-47158 is an authentication bypass vulnerability stemming from the use of assumed-immutable data in Azure DevOps. This flaw affects the Azure DevOps service, enabling an unauthorized attacker to bypass authentication mechanisms. The vulnerability is rated with a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-302 (Authentication Bypass by Assumed-Immutable Data). It was published on 2025-07-18.

An unauthorized attacker with network access can exploit this vulnerability due to its low privilege requirements (PR:N) and lack of need for user interaction (UI:N), though it involves high attack complexity (AC:H). Successful exploitation allows privilege elevation, leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with a scope change (S:C), potentially granting full control over affected Azure DevOps instances.

Microsoft's Security Response Center (MSRC) provides guidance on mitigation and patching in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47158. Security practitioners should consult this advisory for specific remediation steps.

EU & UK References

Vulnerability details

Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing Azure DevOps service directly enables remote exploitation for initial access and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23658Same product: Microsoft Azure Devops
CVE-2026-42826Same product: Microsoft Azure Devops
CVE-2025-65037Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft
CVE-2025-50165Same vendor: Microsoft
CVE-2025-21348Same vendor: Microsoft
CVE-2026-26114Same vendor: Microsoft
CVE-2025-21344Same vendor: Microsoft
CVE-2025-21368Same vendor: Microsoft
CVE-2025-21355Same vendor: Microsoft

Affected Assets

microsoft
azure devops
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of organizational users before network access, directly preventing authentication bypass via assumed-immutable data.

prevent

Enforces logical access authorizations in accordance with policy, blocking unauthorized privilege elevation from authentication bypass flaws.

prevent

Limits privileges to only those necessary for tasks, reducing the impact of privilege escalation following authentication bypass.

References