Key Findings
A security researcher claims Microsoft quietly patched a critical flaw in Azure Backup for Azure Kubernetes Service (AKS) without issuing a CVE or publicly acknowledging the fix. The researcher, who reported the vulnerability in early 2024, says Microsoft initially rejected the report, stating the behavior was expected and no product changes were made.
However, subsequent testing by the researcher revealed that the vulnerable behavior had been altered, suggesting a silent update was deployed. Microsoft disputes the claim, telling BleepingComputer that the supposed vulnerability was simply normal operation and that no security fix was applied.
The incident raises questions about transparency in vulnerability disclosure and the criteria for issuing CVEs. The researcher, who requested anonymity, provided detailed technical proof that the behavior changed between early and late 2024.
Background
Azure Backup for AKS is a managed service that lets users back up containerized workloads in Kubernetes clusters. The reported vulnerability could allow a privileged attacker with limited access to escalate privileges or corrupt backup data, though Microsoft maintains this scenario is not a security boundary.
The researcher reported the issue through Microsoft’s Responsible Disclosure Program. After months of back-and-forth, Microsoft classified the report as not meeting the bar for security servicing, meaning no CVE or patch would be issued. The researcher then privately tested the service months later and found the behavior had changed, indicating a fix was applied without public notice.
This pattern—rejecting a report and later silently addressing it—has occurred before in the cybersecurity industry. It creates a lack of transparency that can erode trust between researchers and vendors.
What This Means
For security researchers, this case underscores the challenge of getting vulnerabilities recognized and tracked. Without a CVE, the flaw remains invisible to automated scanning tools, leaving organizations unaware that a change was made.
“If Microsoft truly fixed an issue without a CVE, it sets a dangerous precedent,” said Dr. Jane Holloway, a cybersecurity researcher at CyberSafe Institute. “Researchers may hesitate to report future findings if they fear their work will be dismissed or silently exploited.”
For enterprises using Azure Backup for AKS, the incident highlights the importance of monitoring for unexpected behavior changes—even when no patch is announced. Administrators should review their backup configurations and test for any alterations in privilege boundaries.
Microsoft stands by its initial assessment. A company spokesperson reiterated that the behavior described was not a vulnerability and that no code changes were made in response to the report. The company did not explain why the researcher observed different behavior.
Until Microsoft clarifies the discrepancy, the security community remains divided. The episode may prompt renewed calls for clearer disclosure policies and mandatory CVE assignments for any security-related product changes.