A researcher alleges Microsoft silently patched a critical Azure Backup for AKS vulnerability where a user with the "Backup Contributor" role could exploit the Trusted Access feature to gain cluster-admin privileges, enabling secret extraction or malicious workload deployment. Microsoft disputes this was a vulnerability, asserting the behavior was expected, but the researcher documented new permission checks that now block the exploit path. The CERT Coordination Center independently validated the issue, though Microsoft reportedly blocked CVE assignment.
Patch/Configuration Management Researcher claims Microsoft silently patched Azure Backup for AKS vulnerability May 18, 2026 Share By SC Staff According to Bleeping Computer, a security researcher alleges that Microsoft discreetly resolved a critical vulnerability in Azure Backup for AKS, a flaw that could have allowed cluster-admin access from a low-privileged role. The researcher claims Microsoft initially rejected the report and blocked the issuance of a CVE identifier. The vulnerability reportedly discovered by Justin O'Leary allowed users with only the "Backup Contributor" role to gain cluster-admin privileges within Kubernetes clusters. This was reportedly achieved by exploiting the Trusted Access feature in Azure Backup for AKS, which normally grants cluster-admin rights to backup extensions. O'Leary states that an attacker could enable backup on a target AKS cluster, triggering Azure to automatically configure Trusted Access, thereby enabling them to extract secrets or deploy malicious workloads. Microsoft, however, disputes these claims, asserting that the behavior was expected and no product changes were made. Despite Microsoft's stance, the researcher says he documented new permission checks and observed that the original exploit path no longer functions. The CERT Coordination Center independently validated the vulnerability, but Microsoft allegedly blocked the CVE assignment, citing the need for pre-existing administrative access. Source: Bleeping Computer SC Staff Related Vulnerability Management 10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list Steve Zurier May 15, 2026 Maximum-severity bug an authentication bypass flaw that’s considered the highest value target in an attacker’s playbook. Vulnerability Management New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available Laura French May 15, 2026 Fragnesia is at least the fourth privilege escalation flaw affecting Linux systems disclosed in the last three weeks. Patch/Configuration Management Fleet Device Management launches autonomous endpoint management platform SC Staff May 14, 2026 Fleet's new platform aims to shorten patch cycles from an industry average of 55 to 94 days to under two weeks, and in some cases, hours. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds