GoKawiilA security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and blocking a CVE from being issued.
The researcher's report describes a critical privilege escalation flaw that allowed cluster-admin access from the low-privileged "Backup Contributor" role.
Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting new permission checks and failed exploit attempts after disclosure, suggestive of a silent patch.
CERT agrees it's a bug, but Microsoft blocks CVE
Security researcher Justin O'Leary discovered the security flaw this March, and reported it to Microsoft on March 17.
Microsoft Security Response Center (MSRC) rejected the report on April 13, claiming the issue only involved obtaining cluster-admin on a cluster where "the attacker already held administrator access," a characterization O'Leary says misrepresents the attack entirely.
"This is factually incorrect," states the researcher.
"The vulnerability allows a user with zero Kubernetes permissions to gain cluster-admin. The attack does not require existing cluster access — it grants it."
O'Leary further says that Microsoft described the submission to MITRE as "AI-generated content," something he says did not address the technical merits of the report.
After the rejection, O'Leary escalated the issue to CERT Coordination Center, which independently validated the vulnerability on April 16 and, according to the researcher, assigned it an identifier, VU#284781:
... continue reading