CVE-2025-54914

Critical

Published: 04 September 2025

Published

04 September 2025

Modified

20 October 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0034 56.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54914 is a critical-severity Improper Access Control (CWE-284) vulnerability in Microsoft Azure Networking. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 43.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly mitigating the improper access control (CWE-284) that enables unauthenticated privilege escalation in Azure Networking.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified flaws such as this CVE through patching, preventing remote exploitation of the vulnerability in Azure Networking components.

AC-6 Least Privilege partial match

prevent

Limits privileges to the minimum necessary, reducing the impact and scope of privilege escalation resulting from the access control vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct EoP vulnerability (CWE-284) with remote unauthenticated attack vector enables T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Azure Networking Elevation of Privilege Vulnerability

Deeper analysisAI

CVE-2025-54914 is an Elevation of Privilege vulnerability in Azure Networking, published on 2025-09-04. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control), with additional NVD-CWE-noinfo mapping.

The vulnerability enables remote exploitation by unauthenticated attackers with low complexity and no user interaction required. Successful attacks result in privilege escalation, achieving high impacts across confidentiality, integrity, and availability, accompanied by a scope change that amplifies the potential damage.

Microsoft's Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54914, detailing mitigation strategies and available patches for affected Azure Networking components.

Details

CWE(s): CWE-284 NVD-CWE-noinfo

Affected Products

microsoft

azure networking

all versions

CVEs Like This One

CVE-2025-21359Same vendor: Microsoft

CVE-2026-27914Same vendor: Microsoft

CVE-2026-24303Same vendor: Microsoft

CVE-2026-21238Same vendor: Microsoft

CVE-2026-20929Same vendor: Microsoft

CVE-2025-21405Same vendor: Microsoft

CVE-2026-26183Same vendor: Microsoft

CVE-2026-24302Same vendor: Microsoft

CVE-2025-59230Same vendor: Microsoft

CVE-2025-24076Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54914
Vendor Advisory · secure@microsoft.com