cbcvebase.
CVE-2025-29813
published 2025-05-08

CVE-2025-29813: Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.7th percentile
Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftazure_devops
msrcazure_devops

Detection & IOCsextracted from sources · hover to see the quote

  • ·CVE-2025-29813 affects Azure DevOps, a fully cloud-hosted Microsoft service. Microsoft has already fully mitigated this vulnerability server-side; no customer action, patching, or configuration change is required.
  • ·No exploitation has been observed in the wild and the vulnerability has not been publicly disclosed with technical details, severely limiting the ability to build targeted detections.
  • ·The vulnerability class is 'authentication bypass by assumed-immutable data', meaning an attacker could abuse data that the service incorrectly treated as tamper-proof to elevate privileges over a network — but no specific payloads, endpoints, or indicators have been published.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.