Microsoft published eight critical security advisories Thursday for cloud and SaaS services including Power Pages, Entra ID, Azure Resource Manager and Azure networking components. Five of the flaws carry severity ratings of CVSS 10, and three more rate CVSS 9.1 or higher.
Unlike traditional Patch Tuesday releases involving downloadable Windows updates and urgent patching guidance for administrators, the advisories appear tied to Microsoft-managed cloud services.
The advisories follow Microsoft’s standard server-side remediation pattern for SaaS vulnerabilities. Every affected product is a Microsoft-operated cloud service rather than customer-installed software. The temporal CVSS strings — code used to classify bugs — for each of the flaws include “E:U/RL:O/RC:C,” denoting an unproven exploit, an official remedy and a confirmed report.
No proof-of-concept code, active exploitation or CISA Known Exploited Vulnerabilities listing has surfaced for any of the eight.
The CVE numbers are:
- CVE-2026-23652 — Power Pages command injection (CVSS 10)
- CVE-2026-40412 — Azure Orbital Spatio RCE (CVSS 10)
- CVE-2026-33843 — Entra ID / Azure AD B2C privilege escalation (CVSS 9.1)
- CVE-2026-40411 — Azure Virtual Network Gateway RCE (CVSS 9.9)
- CVE-2026-41090 — 365 Copilot for iOS command injection (CVSS 9.3)
- CVE-2026-47280 — Azure Resource Manager privilege escalation (CVSS 10)
- CVE-2026-42901 — Entra ID privilege escalation (CVSS 10)
- CVE-2026-41104 — Planetary Computer Pro information disclosure via untrusted deserialization (CVSS 10)
These are not out-of-band patches in the emergency-response sense. The alerts come nine days after Microsoft’s May Patch Tuesday, which was the first Patch Tuesday since June 2024 without any actively exploited or publicly disclosed zero-day vulnerabilities.
Microsoft patched the problem. You own the exposure.
For defenders, these CVEs matter precisely because Microsoft says no action is required. The platform got patched; the tenant didn’t. Customers still own their configurations, their data exposure and the blast radius when the next flaw lands in the same service.
The Power Pages command injection flaw stands out because low-code and no-code platforms keep expanding inside enterprises, often outside security’s line of sight.
Microsoft Power Pages lets business users — not developers — spin up public-facing websites. A marketing manager or operations team can build a site through a drag-and-drop interface, connect it to internal company data and publish it to the internet without engineering involvement.
A regional bank’s lending team could use Power Pages to launch a small-business loan application portal in days, wiring it to the bank’s loan-origination systems through Dataverse, Microsoft’s underlying business database. Borrowers submit applications and upload tax returns through the public site; the data flows into internal systems behind it.
That convenience cuts both ways. Every Power Pages site is internet-facing by design, and the security team may not know which sites exist because business units build them without filing a ticket. A command injection flaw such as CVE-2026-23652 lets an attacker submit crafted input through a public form and trick the backend into running attacker-supplied commands, turning the customer-facing portal into an attack vector for the records behind it.
A 2025 Power Pages privilege escalation flaw, CVE-2025-24989, was actively exploited before Microsoft patched it and landed on CISA’s Known Exploited Vulnerabilities list.
Thursday’s advisories are a prompt to inventory Power Pages sites business units have spun up without IT’s knowledge. Security teams should then tighten Dataverse permissions and anonymous-user access on every site they find.
Cloud fixes, nothing new
Microsoft has been issuing similar cloud-service advisories throughout the month, including CVE-2026-42826, an Azure DevOps flaw rated CVSS 10, all flagged as requiring no customer action.
That does not necessarily mean the issues are unimportant.
Cloud vulnerabilities sit outside direct customer control, leaving defenders to audit logs, review configurations and trust the vendor’s fix rather than deploy a patch themselves.
For years, enterprise security teams built vulnerability programs around assets they could see and remediate themselves — Windows servers, routers, laptops, applications. Cloud services increasingly break that model.
For administrators, the upside is that critical vulnerabilities affecting an identity service, low-code platform or cloud management component are fixed before the organization even becomes aware of the issue.
Security teams still need to understand what happened, whether their tenants were exposed, whether activity logs should be reviewed and whether attackers had opportunities before mitigations were applied.
