{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-65041", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-13T16:18:07.467Z", "datePublished": "2025-12-18T22:02:06.021Z", "dateUpdated": "2026-04-16T14:19:04.744Z"}, "containers": {"cna": {"title": "Microsoft Partner Center Elevation of Privilege Vulnerability", "datePublic": "2025-12-18T08:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:partner_center:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Partner Center", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-285: Improper Authorization", "lang": "en-US", "type": "CWE", "cweId": "CWE-285"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:19:04.744Z"}, "references": [{"name": "Microsoft Partner Center Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65041"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65041", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-20T04:56:25.625602Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:07:26.397Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65041", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-20T04:56:25.625602Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T15:18:42.715Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Partner Center Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Partner Center", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2025-12-18T08:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65041", "name": "Microsoft Partner Center Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:partner_center:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:19:04.744Z"}}}, "cveMetadata": {"cveId": "CVE-2025-65041", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:19:04.744Z", "dateReserved": "2025-11-13T16:18:07.467Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-12-18T22:02:06.021Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:partner_center:-:*:*:*:*:*:*:*", "matchCriteriaId": "A400A527-15CD-4F9D-A42D-A453ABE04769", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network."}], "id": "CVE-2025-65041", "lastModified": "2026-01-06T16:05:51.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-18T22:16:01.597", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65041"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:38:31.319634+00:00", "value": {"mitigation_remediation": ["Apply Microsoft Partner Center updates that address CVE-2025-65041 as soon as they become available", "If an update is not yet released, restrict network access to Partner Center to trusted IP ranges and enforce MFA for all access attempts", "Audit account privileges and disable any unnecessary privileged operations for unverified accounts to limit the potential impact of a privilege escalation", "Monitor Partner Center logs for suspicious activity and set up alerts for attempts to perform privileged actions"], "summary": {"action": "Immediate Patch", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "All Microsoft Partner Center deployments that have not applied the patch for CVE-2025-65041 remain vulnerable. This includes every version of the service sold by Microsoft, as no specific version list is provided.", "description_and_impact": "The vulnerability is an improper authorization flaw in Microsoft Partner Center that lets an attacker who is not authenticated gain higher privileges than are intended. By abusing this flaw, an attacker can access sensitive partner data, modify configuration settings, or perform other privileged actions. The weakness is categorized as CWE-285.", "risk_and_exploitability": "The CVSS score of 10 reflects severe potential impact. The EPSS score of less than 1% indicates that, while the flaw is high severity, the likelihood of exploitation in the wild is currently very low. The likely attack vector is via network access to the Partner Center service, inferred from the description that the privilege escalation can be performed over a network. If exploited, an attacker would gain elevated privileges that could compromise confidentiality, integrity, and availability of partner data."}}}}, "created": "2026-04-20T15:45:10.380230+00:00", "updated": "2026-04-20T15:45:10.380241+00:00", "vendors": []}