Friday, May 2, 2025
HomeCyber Security NewsMicrosoft Addresses Azure AD Flaw Following Criticism from Tenable's CEO

Microsoft Addresses Azure AD Flaw Following Criticism from Tenable’s CEO

Published on

SIEM as a Service

Follow Us on Google News

After being criticized as “grossly irresponsible” and “blatantly negligent” by the CEO of Tenable, Microsoft addressed a vulnerability in the Power Platform Custom Connectors feature that allowed unauthenticated attackers access to cross-tenant apps and sensitive data from Azure customers.

On August 2nd, Microsoft addressed the issue for all customers after Tenable declared an earlier fix delivered by Redmond on June 7th as incomplete.

“This issue has been fully addressed for all customers and no customer remediation action is required,” Microsoft said.

- Advertisement - Google News

All impacted customers have since received notifications from Redmond via the Microsoft 365 Admin Centre beginning on August 4th.

Tenable claims that the fix only applies to recently deployed Power Apps and Power Automation custom connectors, despite Microsoft’s claim that the information disclosure problem has been addressed for all Azure users.

“Microsoft has fixed the issue for newly deployed connectors by requiring Azure Function keys to access the Function hosts and their HTTP trigger,” Tenable said.

“We would refer customers who require additional details regarding the nature of the deployed remediations to Microsoft for authoritative answers.”

Overview of the Issue

Tenable reported to Microsoft the security issue involving Power Platform Custom Connectors utilizing Custom Code on March 30.

Microsoft announced a significant vulnerability on July 12th and linked it to Storm-0558, a Chinese hacker collective. Around 25 different organizations were impacted by the hack, which also led to the theft of private emails from US government officials.

Senator Ron Wyden requested last week in a letter to the US Department of Justice that Microsoft be held responsible for “negligent cybersecurity practices.”

According to Tenable CEO Amit Yoran, Microsoft spent “more than 90 days to implement a partial fix” after receiving a notification from Tenable.

He further alleges that the fix only applied to “new applications loaded in the service.” The bank and all other businesses “that had launched the service before the fix” were still impacted by the issue, and Yoran claims they were probably not aware of that danger.

“It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have a further impact,” Tenable said.

Tenable also provided proof-of-concept exploit code as well as instructions for locating susceptible connector hostnames and crafting POST requests to communicate with the unprotected API endpoints.

Attack Flow Power Platform Bug (Tenable)

As a result, an attacker could communicate with the function as specified by the custom connector code without authentication if they knew the hostname of the Azure Function linked to the custom connector.

Fix Release

On June 7, 2023, Microsoft released a preliminary patch to address this vulnerability for the vast majority of users. An investigation into Tenable’s second report on 10 July 2023 indicated that a very tiny fraction of Custom Code in a soft deleted state was still impacted.

This soft deleted state was created as a resilience mechanism to allow speedy recovery if custom connections were accidentally destroyed.

Microsoft used the Custom Code routines to guarantee and certify total mitigation for any conceivably surviving clients. It was finished on August 2, 2023. 

“To protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit”, Microsoft.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a...

Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data

A 25-year-old man from Santa Clarita, California, has agreed to plead guilty to hacking...

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security In 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a...

Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data

A 25-year-old man from Santa Clarita, California, has agreed to plead guilty to hacking...

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...