MICROSOFT DENIES AZURE VULNERABILITY FIX, NO CVE ISSUED

A security researcher has accused Microsoft of quietly fixing a critical vulnerability in Azure Backup for AKS without issuing a CVE identifier or acknowledging the fix publicly. The researcher submitted a report detailing the vulnerability to Microsoft through standard disclosure channels. Microsoft rejected the report, claiming the behavior was expected and required no action. However, the researcher documented evidence suggesting Microsoft subsequently deployed a silent fix to address the issue. When contacted by BleepingComputer, Microsoft disputed the allegations. A company spokesperson stated that "no product changes were made" in response to the report, contradicting the researcher's documentation. The incident highlights ongoing tensions between security researchers and major technology vendors over vulnerability disclosure practices. Key concerns include: - CVE Assignment: The absence of a CVE number means the vulnerability lacks an official identifier for tracking and reference purposes. - Silent Patching: If Microsoft did deploy a fix without disclosure, customers would have no way to verify their systems were protected or understand the security implications. - Verification Gap: The researcher claims to have documented evidence of the fix, yet Microsoft denies making changes, creating a factual dispute with significant implications. Proper vulnerability disclosure typically involves researchers reporting findings, vendors assessing impact, issuing patches, and assigning CVE identifiers before public disclosure. This case appears to deviate from that standard process. Microsoft has not provided technical details explaining how the disputed vulnerability might have been addressed or why it deemed the initial report invalid. The researcher has not yet disclosed whether they plan to release additional documentation or pursue the matter further. This situation underscores the importance of transparent vulnerability management practices, particularly for critical cloud infrastructure components used by enterprises worldwide. The Azure Backup for AKS service handles critical data protection operations for Kubernetes deployments on Azure.