A security researcher publicly disclosed what they describe as a critical cross-tenant access vulnerability in Microsoft Azure's identity and access management layer, claiming it allows traversal of tenant isolation boundaries to access resources belonging to other Azure customers without requiring victim-side misconfiguration. The researcher reports submitting full technical details and proof-of-concept code to the Microsoft Security Response Center, which closed the case as "by design" and declined to assign a CVE or issue an advisory. No patch, CVE identifier, or official Microsoft advisory has been published, and there are no reports of active exploitation. The disclosure highlights a recurring "silent fix" pattern in which similar cross-tenant issues have later been quietly remediated without acknowledgement, leaving customers without identifiers to track residual risk. Azure operators are advised to treat cross-tenant isolation as an untrusted boundary, supplement CVE-feed-based vulnerability management with direct monitoring of researcher disclosures, and review tenant-boundary controls in penetration testing scope.
// Alert
Microsoft Azure threat report
// Microsoft AzureMEDIUM
// Get alerts for Microsoft Azure