Critical Microsoft Partner Center vulnerability under attack, CISA warns

A critical vulnerability in Microsoft’s Partner Center platform is under attack, enabling unauthenticated attackers to escalate privileges, potentially leading to data breaches, malware deployment, and lateral movement across enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw, tracked as CVE-2024-49035, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in real-world environments.

A high-impact vulnerability in Microsoft’s partner ecosystem

CVE-2024-49035 is a privilege escalation flaw stemming from improper access control within Microsoft Partner Center, a platform used by enterprises and managed service providers to handle cloud services, licenses, and customer accounts.

Microsoft first disclosed the issue in November 2024, assigning it a CVSS score of 8.7. However, the National Vulnerability Database (NVD) later upgraded its severity rating to 9.8 out of 10, citing its low attack complexity and high impact on confidentiality and integrity. The flaw enables threat actors to exploit the Microsoft Power Apps-based backend of Partner Center, gaining unauthorized access without requiring authentication.

This raises concerns about potential supply chain risks, as attackers could use compromised partner accounts to pivot into customer environments.

Discovery and response timeline

Security researchers Gautam Peri, Apoorv Wadhwa, and an anonymous contributor identified the vulnerability and reported it to Microsoft through the coordinated vulnerability disclosure process. Interestingly, their findings did not initially trigger public exploit reports, suggesting either that sophisticated attackers developed exploits independently or that early exploitation remained targeted and difficult to detect.

CISA did not disclose details of the ongoing attacks, but emphasized the severity of the situation in its advisory, noting that vulnerabilities of this nature are frequent attack vectors for malicious actors seeking to compromise enterprise networks.

Microsoft has automatically deployed patches to the Power Apps online service that underpins Partner Center. According to the company’s security bulletin, “No manual intervention is required from customers as this update is being deployed automatically to the online service infrastructure.”

 However, CISA has taken additional measures, mandating that Federal Civilian Executive Branch (FCEB) agencies apply all updates by March 18, 2025. The agency has also urged private-sector enterprises to follow suit, emphasizing that organizations relying on Microsoft’s cloud ecosystem should treat this vulnerability as a high-priority risk.

Persistent threats to cloud-based ecosystems

The growing reliance on cloud-based services and partner ecosystems has increased the attack surface for enterprises, making vulnerabilities like CVE-2024-49035 particularly dangerous. The flaw highlights the persistent risks associated with privilege escalation exploits in widely used enterprise platforms.

While Microsoft has stated that the issue is contained within the Partner Center online service, the underlying linkage to Microsoft Power Apps raises concerns about potential shared infrastructure risks. If attackers gain a foothold in one segment of a cloud service, they could attempt to escalate privileges across interconnected systems, amplifying the potential impact.

The vulnerability also coincides with the disclosure of another critical flaw, the Zimbra XSS vulnerability tracked as CVE-2023-34192. While both security weaknesses have been added to CISA’s KEV catalog, the Microsoft Partner Center flaw is particularly concerning due to its potential to affect enterprise customers at scale.

Unlike the Zimbra flaw, which primarily affects email security, CVE-2024-49035 targets the central partner ecosystem that underpins Microsoft’s cloud services, making it a more attractive target for cybercriminals looking to compromise multiple organizations through a single exploit.

Immediate steps for organizations

As cybercriminals continue to exploit vulnerabilities in cloud environments, organizations must take a proactive approach to cybersecurity. CISA has recommended a series of mitigation strategies, including network segmentation, continuous access audits, and the adoption of zero-trust security models to limit the impact of privilege escalation attacks.

Enterprises using Microsoft Partner Center should closely monitor their systems for signs of unauthorized access and review Microsoft’s security advisories for any further updates.

The exploitation of CVE-2024-49035 underscores the urgent need for organizations to prioritize patch management and stay ahead of emerging threats. As the regulatory landscape around cybersecurity becomes more stringent, businesses that fail to secure their cloud-based infrastructure could face not only operational disruptions but also potential compliance penalties.

With CISA’s warning now public, the window for mitigating the threat is rapidly closing. Organizations that depend on Microsoft’s partner ecosystem must act swiftly to ensure they are protected against ongoing attacks before adversaries gain deeper access into enterprise networks.