🔴 A privilege escalation vulnerability may have been silently patched — with no CVE issued and no official disclosure, making it difficult to gauge the full scope of impact.
"There's no vulnerability," they said — yet a fix was quietly shipped anyway. At least, that's what security researcher OLeary (@olearysec) is claiming. A disagreement between Microsoft and an independent researcher over a privilege escalation vulnerability in Azure Backup for Azure Kubernetes Service (AKS) has sparked serious questions about the vulnerability reporting and disclosure process itself.
From Discovery to "Quiet Resolution": What Happened?
The core issue OLeary discovered is straightforward: a user with only the "Backup Contributor" Azure role — a role that grants zero Kubernetes permissions — could obtain cluster-admin (cluster administrator) privileges on an AKS cluster.
That's a genuinely alarming finding. Holding cluster-admin privileges in Kubernetes means having access to every workload, secret, and configuration within that cluster. With many organizations running production environments on Kubernetes in Azure, the potential blast radius is far from trivial.
OLeary reported the issue to Microsoft, but the company rejected it, arguing that "an attacker would already need to have administrator privileges." OLeary pushed back, calling this assumption "factually incorrect" — the vulnerability doesn't require admin privileges; it grants them. That's a fundamental distinction.
OLeary further documented that CERT/CC independently validated the vulnerability and assigned it VU#284781. A third-party organization confirmed this was a real issue — and yet Microsoft's position remained unchanged.
"No Product Changes Were Made" — Microsoft's Position
According to BleepingComputer's reporting, Microsoft told them the behavior was "by design" and that "no changes to the product were made."
However, OLeary documented that the problematic behavior was fixed at some point after the initial report. An official statement claiming no product changes were made, alongside observable changes in behavior — how you reconcile that gap is ultimately up to you. From the outside, it's a difficult discrepancy to explain away.
The real-world consequences of skipping a CVE shouldn't be overlooked either. CVE numbers are one of the most basic tools security teams use to prioritize patching decisions. Without a number, organizations running affected environments may simply never connect the dots and realize they're impacted. Companies using Azure Backup for AKS in production may have gone without any awareness of this privilege escalation risk — with time simply passing them by.
The Deeper Problem With Silent Patches
It's not unusual for cloud vendors to fix vulnerabilities without issuing a CVE. In SaaS and PaaS environments where fixes happen entirely server-side, users don't need to apply patches themselves, so quiet remediation sometimes happens without any announcement.
But this case is a bit different from a standard "unannounced fix." The timeline here is: a researcher reports the issue, CERT/CC independently validates it and assigns VU#284781, Microsoft continues to insist it's "not a vulnerability" — and then, apparently, it gets fixed anyway. This is now on the record as a case where the normal vulnerability reporting, CVE assignment, and disclosure pipeline simply didn't work as intended.
To put it in concrete terms: if this bug had been exploited, an attacker with a single "Backup Contributor" account could have taken full control of an entire Kubernetes cluster. In enterprise environments running multitenant systems or large numbers of managed services, the potential damage would have been far-reaching.
· Review CERT/CC's VU#284781 and OLeary's detailed report to assess whether your organization is affected
· Check AKS cluster audit logs for any suspicious cluster-admin activity that may have gone unnoticed
A Question of Transparency
Which vulnerabilities get CVEs and which don't is ultimately left to vendor discretion — and that's not inherently wrong. But when something that both an independent researcher and CERT/CC have deemed a real vulnerability gets quietly closed out without making it into the public record, the security community's collective knowledge base ends up with a gap.
OLeary's report is still publicly available on their blog. No CVE, but the record remains.