Microsoft rejects critical Azure vulnerability report, no CVE issued
Summary
A security researcher claims Microsoft silently patched a critical vulnerability in Azure Backup for AKS after rejecting his report and not issuing a CVE. Microsoft denies this, stating the behavior was expected and no product changes were made, contradicting the researcher's documentation of a fix.
IFF Assessment
This report indicates a potential undisclosed vulnerability that defenders may not be aware of, leaving systems exposed to exploitation.
Defender Context
This situation highlights the challenges defenders face when critical vulnerabilities might not be publicly disclosed or patched with a CVE. Organizations should be vigilant about vendor responses to reported security issues and monitor for unexpected behavior in their cloud environments, as potential gaps could exist without clear advisories.