A security researcher claims Microsoft silently patched a critical Azure Backup for AKS vulnerability after rejecting his report, while Microsoft denies making any product changes.
A security researcher has accused Microsoft of quietly fixing a critical vulnerability in Azure Backup for AKS without issuing a CVE identifier or acknowledging the fix publicly.
The researcher submitted a report detailing the vulnerability to Microsoft through standard disclosure channels. Microsoft rejected the report, claiming the behavior was expected and required no action. However, the researcher documented evidence suggesting Microsoft subsequently deployed a silent fix to address the issue.
When contacted by BleepingComputer, Microsoft disputed the allegations. A company spokesperson stated that "no product changes were made" in response to the report, contradicting the researcher's documentation.
The incident highlights ongoing tensions between security researchers and major technology vendors over vulnerability disclosure practices. Key concerns include:
- CVE Assignment: The absence of a CVE number means the vulnerability lacks an official identifier for tracking and reference purposes.
- Silent Patching: If Microsoft did deploy a fix without disclosure, customers would have no way to verify their systems were protected or understand the security implications.
- Verification Gap: The researcher claims to have documented evidence of the fix, yet Microsoft denies making changes, creating a factual dispute with significant implications.
Proper vulnerability disclosure typically involves researchers reporting findings, vendors assessing impact, issuing patches, and assigning CVE identifiers before public disclosure. This case appears to deviate from that standard process.
Microsoft has not provided technical details explaining how the disputed vulnerability might have been addressed or why it deemed the initial report invalid. The researcher has not yet disclosed whether they plan to release additional documentation or pursue the matter further.
This situation underscores the importance of transparent vulnerability management practices, particularly for critical cloud infrastructure components used by enterprises worldwide. The Azure Backup for AKS service handles critical data protection operations for Kubernetes deployments on Azure.
Europe's digital identity wallet age verification system will only work on iOS and Android devices, excluding alternative mobile platforms. The technical specification has drawn criticism from privacy advocates and open-source developers.
The Trump administration has established the Gold Eagle federal clearinghouse to enable real-time sharing of AI-related cyber threat intelligence between government agencies and private sector companies. The White House says the system is already receiving vulnerability reports and coordinating patch prioritization.
Spanish authorities dismantled a major cybercrime organization responsible for €140 million in fraudulent earnings, resulting in four arrests. The ring operated investment scams and business email compromise attacks.
SonicWall has released security updates to address two actively exploited vulnerabilities in its SMA1000 appliance. The company urges customers to patch immediately.