Description
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
Published: 2025-12-18
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper authorization flaw in Microsoft Partner Center that lets an attacker who is not authenticated gain higher privileges than are intended. By abusing this flaw, an attacker can access sensitive partner data, modify configuration settings, or perform other privileged actions. The weakness is categorized as CWE-285.

Affected Systems

All Microsoft Partner Center deployments that have not applied the patch for CVE-2025-65041 remain vulnerable. This includes every version of the service sold by Microsoft, as no specific version list is provided.

Risk and Exploitability

The CVSS score of 10 reflects severe potential impact. The EPSS score of less than 1% indicates that, while the flaw is high severity, the likelihood of exploitation in the wild is currently very low. The likely attack vector is via network access to the Partner Center service, inferred from the description that the privilege escalation can be performed over a network. If exploited, an attacker would gain elevated privileges that could compromise confidentiality, integrity, and availability of partner data.

Generated by OpenCVE AI on April 20, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Microsoft Partner Center updates that address CVE-2025-65041 as soon as they become available
  • If an update is not yet released, restrict network access to Partner Center to trusted IP ranges and enforce MFA for all access attempts
  • Audit account privileges and disable any unnecessary privileged operations for unverified accounts to limit the potential impact of a privilege escalation
  • Monitor Partner Center logs for suspicious activity and set up alerts for attempts to perform privileged actions

Generated by OpenCVE AI on April 20, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:partner_center:-:*:*:*:*:*:*:*

Fri, 19 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft Partner Center Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft partner Center
Weaknesses CWE-285
CPEs cpe:2.3:a:microsoft:partner_center:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft partner Center
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:C'}

Subscriptions

Microsoft Partner Center
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:19:04.744Z

Reserved: 2025-11-13T16:18:07.467Z

Link: CVE-2025-65041

cve-icon Vulnrichment

Updated: 2025-12-19T15:18:42.715Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-18T22:16:01.597

Modified: 2026-01-06T16:05:51.513

Link: CVE-2025-65041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses