Search
On this page ▾
CVE-2024-49035 — Microsoft Partner Center Improper Access Control Vulnerability

CVE-2024-49035

Microsoft Partner Center — Improper Access Control Allows Privilege Escalation in Cloud MSP Platform
⚠️ CVSS 3.1  8.7 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Microsoft Partner Center?

Microsoft Partner Center is the cloud management portal used by Microsoft's network of cloud solution providers (CSPs), managed service providers (MSPs), independent software vendors (ISVs), and resellers to manage their Microsoft cloud subscriptions, customer tenants, billing, and licensing. Partners use Partner Center to manage their own Azure and Microsoft 365 subscriptions as well as the subscriptions of their downstream customers. A privilege escalation in Partner Center is particularly sensitive: a compromised partner account can lead to unauthorized access across all customer tenants the partner manages — a supply-chain attack vector affecting multiple organizations simultaneously.

Overview

CVE-2024-49035 is an improper access control vulnerability in Microsoft Partner Center that allows an authenticated attacker with limited privileges to escalate to higher access levels, affecting the confidentiality and integrity of resources managed through the platform. The CVSS scope is "Changed" (S:C), reflecting that successful exploitation can impact resources beyond the attacker's own Partner Center tenant. CISA added it to the KEV catalog on February 25, 2025 — three months after publication — indicating active exploitation was discovered after the patch had been available for some time.

Affected Versions

Product Status
Microsoft Partner Center Cloud service — patched by Microsoft; no customer-side update required

As a cloud-hosted Microsoft service, the patch was applied by Microsoft on the service side. Partners do not need to apply a software update but should verify their account security posture.

Technical Details

CWE-269 (Improper Privilege Management). The vulnerability involves access control flaws in the Partner Center portal that permit a low-privileged authenticated user to perform actions or access resources that should require higher privilege levels. The CVSS metrics (UI:R, scope Changed) suggest the exploitation path involves social engineering or interaction with a higher-privileged user — consistent with a privilege escalation via a crafted link or request that, when acted upon by a privileged Partner Center user, grants elevated access to the attacker.

Given the nature of Partner Center as a multi-tenant MSP management platform, the impact of successful exploitation includes unauthorized access to customer tenant subscriptions, billing data, and the ability to add or remove users across managed organizations.

Discovery

Reported to Microsoft, which patched the cloud service. The three-month gap between patch release (November 2024) and KEV addition (February 2025) suggests exploitation was discovered through threat intelligence rather than being a zero-day at the time of patch.

Exploitation Context

Active exploitation was confirmed by the February 25, 2025 CISA KEV addition. Partner Center accounts are a target of business email compromise (BEC) actors and cloud-focused threat groups who seek to leverage the MSP supply chain to access downstream customer tenants — a pattern seen in the 2021 Kaseya and 2019 SolarWinds-precursor MSP campaigns. Unauthorized access through Partner Center can enable fraudulent Azure subscription provisioning (cryptomining), unauthorized Microsoft 365 license modifications, and access to customer tenant data.

Remediation

  1. The patch is applied by Microsoft on the service side — no software update required from partners.
  2. Review all Partner Center accounts: audit roles and permissions, remove accounts no longer needed, and verify that all active accounts are associated with known legitimate users.
  3. Enable multi-factor authentication (MFA) on all Partner Center accounts — Microsoft requires MFA for all partner accounts accessing Partner Center via their Secure Application Model.
  4. Review delegated admin privileges (DAP/GDAP) your organization holds over customer tenants; revoke any that are no longer actively needed.
  5. Monitor Partner Center access logs for unusual login patterns, unexpected geographic locations, or unfamiliar devices.
  6. Review the Microsoft Partner Security requirements and ensure compliance with the least-privilege GDAP model rather than the broad DAP model.

Key Details

PropertyValue
CVE ID CVE-2024-49035
Vendor / Product Microsoft — Partner Center
NVD Published2024-11-26
NVD Last Modified2025-10-28
CVSS 3.1 Score8.7
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
SeverityHIGH
CWE CWE-269 find similar ↗
CISA KEV Added2025-02-25
CISA KEV Deadline2025-03-18
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2025-03-18. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-11-26CVE published; Microsoft releases patch for Partner Center
2025-02-25Added to CISA Known Exploited Vulnerabilities catalog
2025-03-18CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Advisory — CVE-2024-49035 Vendor Advisory
NVD — CVE-2024-49035 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-19

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML