CVE-2025-47995
Published: 18 July 2025
Summary
CVE-2025-47995 is a medium-severity Weak Authentication (CWE-1390) vulnerability in Microsoft Azure Machine Learning. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Helps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons.
The IA policy requires strong authentication methods, reducing use of weak authentication.
Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions.
Enforces authentication for users, reducing the viability of weak authentication mechanisms.
Requires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak authentication in Azure Machine Learning enables an authorized attacker to elevate privileges over a network, directly facilitating T1068: Exploitation for Privilege Escalation.
NVD Description
Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.
Deeper analysisAI
CVE-2025-47995 is a weak authentication vulnerability in Azure Machine Learning that allows an authorized attacker to elevate privileges over a network. Published on 2025-07-18, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-1390.
The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables privilege escalation, leading to high confidentiality impact (C:H) without affecting integrity or availability.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47995 provides guidance on mitigation and related updates.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Azure Machine Learning is a cloud-based platform for machine learning workflows, fitting under 'Other Platforms' as it does not match more specific categories like frameworks or libraries.