A critical access control flaw (CVE-2024-49035) in Microsoft Partner Center allows attackers to gain unauthorized privileges, posing a major security risk.
Overview
Microsoft disclosed this high-severity vulnerability (CVSS 8.7 from Microsoft, 9.8 from NIST), which affects the Partner Center web portal. The flaw enables privilege escalation—allowing unauthorized users to manipulate access levels. Exploitation has been observed in the wild, making immediate action necessary.
Technical Details
The vulnerability stems from improper access controls in the Microsoft Power Apps backend, enabling unauthorized users to elevate privileges remotely. Microsoft patched the issue via an automatic cloud update, securing all users by late November 2024. However, attackers had a window to exploit the flaw before the fix. CISA later added CVE-2024-49035 to its Known Exploited Vulnerabilities catalog.
Risks & Exploitation
Attackers could:
- Gain administrative access to Partner Center
- View and modify sensitive data
- Pivot into client environments, enabling supply-chain attacks
Given Partner Center’s role in managing customer cloud services, this could impact thousands of organizations. Threat actors, including cybercriminals and state-backed groups, are actively targeting IT service providers for broader access.
Mitigation Steps
- Verify Patch Deployment – Microsoft’s fix is automatic, but check your Partner Center service health dashboard to confirm.
- Review Audit Logs – Look for unusual logins, privilege changes, or unauthorized access.
- Reset Credentials & Enforce MFA – Strengthen authentication to prevent unauthorized access.
- Limit Privileges – Apply the principle of least privilege to reduce exposure.
