Cyber Resilience

CVE-2025-54914

Critical

Published: 04 September 2025

Published
04 September 2025
Modified
20 October 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0132 80.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54914 is a critical-severity Improper Access Control (CWE-284) vulnerability in Microsoft Azure Networking. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54914 is an elevation of privilege vulnerability affecting the Azure Networking component. It carries a maximum CVSS 3.1 base score of 10.0 with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a remotely exploitable flaw that can produce complete loss of confidentiality, integrity, and availability with a scope change. The issue is also tagged under CWE-284.

An unauthenticated attacker with network access can exploit the vulnerability to obtain elevated privileges within the affected Azure Networking environment, enabling full control over impacted resources without requiring user interaction.

Microsoft publishes remediation guidance for this CVE through its Security Response Center at the listed advisory URL. The EPSS score remains low and unchanged at 0.0132 from disclosure through the present measurement, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Azure Networking Elevation of Privilege Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct EoP vulnerability (CWE-284) with remote unauthenticated attack vector enables T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42823Same vendor: Microsoft
CVE-2025-24076Same vendor: Microsoft
CVE-2025-21359Same vendor: Microsoft
CVE-2026-23660Same vendor: Microsoft
CVE-2026-24290Same vendor: Microsoft
CVE-2026-40420Same vendor: Microsoft
CVE-2026-20929Same vendor: Microsoft
CVE-2026-33834Same vendor: Microsoft
CVE-2025-24042Same vendor: Microsoft
CVE-2025-24999Same vendor: Microsoft

Affected Assets

microsoft
azure networking
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly mitigating the improper access control (CWE-284) that enables unauthenticated privilege escalation in Azure Networking.

prevent

Requires timely remediation of identified flaws such as this CVE through patching, preventing remote exploitation of the vulnerability in Azure Networking components.

prevent

Limits privileges to the minimum necessary, reducing the impact and scope of privilege escalation resulting from the access control vulnerability.

References