Cyber Resilience

CVE-2025-47995

Medium

Published: 18 July 2025

Published
18 July 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0243 85.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47995 is a medium-severity Weak Authentication (CWE-1390) vulnerability in Microsoft Azure Machine Learning. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-47995 is a weak authentication vulnerability, tracked under CWE-1390, that affects Azure Machine Learning. It carries a CVSS 3.1 base score of 6.5 reflecting network attack vector, low attack complexity, and low privileges required, with the result that an authenticated user can obtain unauthorized access to sensitive information.

An authorized attacker can exploit the flaw over a network to elevate privileges and achieve high confidentiality impact while leaving integrity and availability unaffected.

Microsoft has published an advisory for the issue at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47995 that includes mitigation guidance.

The associated EPSS score has remained low, with a current value of 0.0243 and a peak of 0.0258; because the component is part of Azure Machine Learning the finding is directly relevant to AI/ML deployments.

EU & UK References

Vulnerability details

Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: machine learning

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Weak authentication in Azure Machine Learning enables an authorized attacker to elevate privileges over a network, directly facilitating T1068: Exploitation for Privilege Escalation.

CVEs Like This One

CVE-2025-49747Same product: Microsoft Azure Machine Learning
CVE-2025-49746Same product: Microsoft Azure Machine Learning
CVE-2026-32207Same product: Microsoft Azure Machine Learning
CVE-2026-40417Same vendor: Microsoft
CVE-2026-21231Same vendor: Microsoft
CVE-2026-32091Same vendor: Microsoft
CVE-2026-25174Same vendor: Microsoft
CVE-2026-42823Same vendor: Microsoft
CVE-2025-59247Same vendor: Microsoft
CVE-2025-49687Same vendor: Microsoft

Affected Assets

microsoft
azure machine learning
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and authentication of users before granting access, mitigating the weak authentication flaw that enables privilege escalation.

prevent

Enforces least privilege so that even an authenticated low-privileged user cannot escalate rights within Azure Machine Learning.

prevent

Ensures the system enforces access-control decisions based on authenticated identity, blocking unauthorized elevation after weak authentication succeeds.

References