CVE-2025-55244

Critical

Published: 04 September 2025

Published

04 September 2025

Modified

17 October 2025

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55244 is a critical-severity Improper Access Control (CWE-284) vulnerability in Microsoft Azure Ai Bot Service. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Employs least privilege to directly prevent unauthorized elevation of privilege in Azure Bot Service by restricting access to only necessary permissions.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, addressing the improper access control (CWE-284) that enables privilege escalation over the network.

AC-2 Account Management partial match

prevent

Manages accounts to establish and maintain proper privilege levels, mitigating risks of elevation within the Azure Bot Service environment.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote EoP via improper access control in public-facing Azure Bot Service maps to exploitation for privilege escalation and public-facing app exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Azure Bot Service Elevation of Privilege Vulnerability

Deeper analysisAI

CVE-2025-55244 is an Elevation of Privilege vulnerability affecting Azure Bot Service. Published on 2025-09-04T23:15:33.333, it is associated with CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to high impacts across confidentiality, integrity, and availability with a changed scope.

Attackers require no privileges or user interaction and can exploit the vulnerability over the network, though it demands high attack complexity. Successful exploitation enables elevation of privilege, potentially granting unauthorized high-level access within the affected Azure Bot Service environment.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55244.

Details

CWE(s): CWE-284

Affected Products

microsoft

azure ai bot service

all versions

CVEs Like This One

CVE-2025-53763Same vendor: Microsoft

CVE-2025-24989Same vendor: Microsoft

CVE-2026-24306Same vendor: Microsoft

CVE-2026-24300Same vendor: Microsoft

CVE-2026-24304Same vendor: Microsoft

CVE-2025-59273Same vendor: Microsoft

CVE-2025-21380Same vendor: Microsoft

CVE-2025-54914Same vendor: Microsoft

CVE-2025-21359Same vendor: Microsoft

CVE-2026-27914Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55244
Vendor Advisory · secure@microsoft.com