Microsoft rejects critical Azure vulnerability report, no CVE issued

A security researcher has accused Microsoft of silently patching an Azure Backup for Kubernetes Service (AKS) vulnerability without issuing a CVE identifier or publicly acknowledging the fix. The researcher submitted a formal vulnerability report to Microsoft, which the company rejected, stating the behavior fell within expected system design.

The dispute centers on whether Microsoft addressed the vulnerability through a patch or if the researcher misidentified expected functionality. Microsoft told BleepingComputer that "no product changes were made" in response to the report. The researcher counters that he documented evidence of a silent fix being deployed, creating a credibility gap between the two parties.

The lack of a CVE assignment complicates the situation. CVE identifiers serve as critical tracking mechanisms for vulnerability disclosures, enabling security teams to assess exposure, prioritize patching, and coordinate response efforts. When vulnerabilities are patched without CVE assignment, organizations lose visibility into what changed and why, potentially leaving gaps in their security posture.

This incident highlights ongoing friction between independent security researchers and major vendors over disclosure practices. Microsoft's position that the behavior constituted expected design suggests the company may have interpreted the finding as a feature rather than a security flaw. This classification decision directly impacts whether the issue receives formal tracking, public notification, and inclusion in security bulletins.

The absence of transparency creates operational headaches for organizations running Azure Backup for AKS. Security teams cannot definitively determine if they were affected, whether they need to take action, or what attack surface changes resulted from any modifications Microsoft made.

The researcher's documentation of a silent patch suggests Microsoft may have addressed a real security concern while avoiding formal disclosure obligations. This approach leaves a documentation void that complicates future audits, compliance reporting, and incident investigations across customer environments.