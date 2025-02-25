A severe vulnerability in Microsoft Power Apps has allowed threat actors to exploit the Microsoft Partner Center website.

The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a Microsoft vulnerability to its catalogue of "exploited vulnerabilities." The vulnerability scores as highly severe, according to CISA.

The vulnerability allows for improper access control in the partner.microsoft.com website. In other words, people lacking proper authentication for Microsoft Partner Center can access the system and view sensitive information. Threat actors can "elevate privilege" for unauthorized users. According to Microsoft's security update guide, the attack vector is the network stack, which means that people can remotely exploit the vulnerability through the internet.

Microsoft's security update guide lists the vulnerability as having been disclosed on Nov. 26, 2024. The company further notes that no user action is required. Only the online version of Microsoft Power Apps was affected, meaning that Microsoft could use automatic updates to address the problem.

Cybercriminals have increasingly targeted channel partners as supply chain attacks grow more common. Most recently, state-affiliated cybercriminals exploited the platforms of prominent telecommunications companies and collected a trove of call data.

The CISA on the same day disclosed a cross-site scripting vulnerability associated with collaboration software provider Zimbra.