Summary

A security researcher has accused Microsoft of silently fixing a critical vulnerability in Azure Backup for AKS without issuing a CVE. Microsoft, however, claims that the reported behavior was expected and that no product changes were made.

Key Points

• A security researcher reported a critical vulnerability in Azure Backup for AKS.
• Microsoft allegedly fixed the issue quietly, without issuing a CVE.
• Microsoft disputes the claim, stating that the behavior was expected and no changes were made to the product.
• The incident highlights a potential communication gap between security researchers and Microsoft.

Analysis

The situation underscores the challenges in vulnerability disclosure and management, particularly when there is a disagreement between a vendor and a researcher about the nature of a vulnerability. The lack of a CVE can hinder tracking and awareness of the issue, potentially impacting organizations relying on Azure services.

Conclusion

IT professionals should remain vigilant and consider monitoring for any unofficial reports of vulnerabilities, especially in critical services like Azure. Engaging with security communities may provide additional insights into potential risks.