CVE-2025-53763
Published: 21 August 2025
Summary
CVE-2025-53763 is a critical-severity Improper Access Control (CWE-284) vulnerability in Microsoft Purview Data Governance. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-53763 is an improper access control vulnerability (CWE-284) in Azure Databricks. Published on 2025-08-21, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables an unauthorized attacker to elevate privileges over a network.
The vulnerability can be exploited by any unauthenticated attacker (PR:N) remotely over the network (AV:N), with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), allowing privilege elevation without changing scope (S:U).
Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53763.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25589
Vulnerability details
Improper access control in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated privilege escalation in public-facing Azure Databricks service directly matches exploitation for privilege escalation and public-facing application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly mitigating the improper access control that allows unauthorized privilege elevation.
Employs least privilege principle to restrict access rights, preventing unauthorized attackers from escalating privileges.
Determines and authorizes access based on defined policies, countering flaws in access control decisions exploited for privilege elevation.