Search criteria
9 vulnerabilities found for power_automate_for_desktop by microsoft
FKIE_CVE-2025-47966
Vulnerability from fkie_nvd - Published: 2025-06-05 21:15 - Updated: 2025-07-08 16:26
Severity ?
Summary
Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | power_automate_for_desktop | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C1B231AB-37F6-4226-A774-952FCE9AB2AE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "secure@microsoft.com",
"tags": [
"exclusively-hosted-service"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network."
},
{
"lang": "es",
"value": "La exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado en Power Automate permite que un atacante no autorizado eleve privilegios en una red."
}
],
"id": "CVE-2025-47966",
"lastModified": "2025-07-08T16:26:34.813",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2025-06-05T21:15:22.127",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Broken Link"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47966"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-29817
Vulnerability from fkie_nvd - Published: 2025-04-15 17:15 - Updated: 2025-07-08 16:26
Severity ?
Summary
Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29817 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| microsoft | power_automate_for_desktop | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "521C8D25-648F-4E5D-8AA8-EEF7EDCEF21F",
"versionEndExcluding": "2.51.349.24355",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network."
},
{
"lang": "es",
"value": "El elemento de ruta de b\u00fasqueda no controlada en Power Automate permite que un atacante autorizado divulgue informaci\u00f3n a trav\u00e9s de una red."
}
],
"id": "CVE-2025-29817",
"lastModified": "2025-07-08T16:26:03.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2025-04-15T17:15:48.873",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29817"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-21187
Vulnerability from fkie_nvd - Published: 2025-01-14 18:15 - Updated: 2025-02-05 19:14
Severity ?
Summary
Microsoft Power Automate Remote Code Execution Vulnerability
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3AE490E-B66C-45D1-81FE-46C8DB0D9A7A",
"versionEndExcluding": "2.46.184.25013",
"versionStartIncluding": "2.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78453D1B-A64E-4596-9208-462526C0627C",
"versionEndExcluding": "2.47.126.25010",
"versionStartIncluding": "2.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1BAD3381-BDB2-42FC-89E7-96A388288F09",
"versionEndExcluding": "2.48.164.25010",
"versionStartIncluding": "2.48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91E8C064-A7DB-4C2D-8594-28A6C1012A88",
"versionEndExcluding": "2.49.182.25010",
"versionStartIncluding": "2.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23AE7E1D-6A5D-4750-BB9A-2D626CC0CE1F",
"versionEndExcluding": "2.50.139.25010",
"versionStartIncluding": "2.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C03A1069-DBBE-4C3A-A315-C80870819A80",
"versionEndExcluding": "2.51.349.24355",
"versionStartIncluding": "2.51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Microsoft Power Automate Remote Code Execution Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en Microsoft Power Automate"
}
],
"id": "CVE-2025-21187",
"lastModified": "2025-02-05T19:14:06.093",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Secondary"
}
]
},
"published": "2025-01-14T18:15:31.187",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-47966 (GCVE-0-2025-47966)
Vulnerability from cvelistv5 – Published: 2025-06-05 20:59 – Updated: 2025-07-11 16:36 Exclusively Hosted Service
VLAI?
Title
Power Automate Elevation of Privilege Vulnerability
Summary
Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.
Severity ?
9.8 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power Automate for Desktop |
Affected:
N/A
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-07T03:55:20.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power Automate for Desktop",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"versionStartIncluding": "N/A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-06-05T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T16:36:32.561Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power Automate Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47966"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Power Automate Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-47966",
"datePublished": "2025-06-05T20:59:02.172Z",
"dateReserved": "2025-05-14T14:13:13.465Z",
"dateUpdated": "2025-07-11T16:36:32.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29817 (GCVE-0-2025-29817)
Vulnerability from cvelistv5 – Published: 2025-04-15 16:10 – Updated: 2025-06-04 17:52
VLAI?
Title
Microsoft Power Automate Desktop Information Disclosure Vulnerability
Summary
Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.
Severity ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power Automate for Desktop |
Affected:
1.0.0.0 , < 2.51.349.24355
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T17:52:51.533548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T17:53:01.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power Automate for Desktop",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2.51.349.24355",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.51.349.24355",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-04-15T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T17:52:49.863Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Power Automate Desktop Information Disclosure Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29817"
}
],
"title": "Microsoft Power Automate Desktop Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-29817",
"datePublished": "2025-04-15T16:10:04.855Z",
"dateReserved": "2025-03-11T22:56:43.942Z",
"dateUpdated": "2025-06-04T17:52:49.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21187 (GCVE-0-2025-21187)
Vulnerability from cvelistv5 – Published: 2025-01-14 18:04 – Updated: 2025-09-09 23:46
VLAI?
Title
Microsoft Power Automate Remote Code Execution Vulnerability
Summary
Microsoft Power Automate Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power Automate for Desktop |
Affected:
1.0.0.0 , < 2.52.62.25009
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T04:55:27.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power Automate for Desktop",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2.52.62.25009",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.52.62.25009",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-01-14T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Power Automate Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T23:46:24.557Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Power Automate Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187"
}
],
"title": "Microsoft Power Automate Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-21187",
"datePublished": "2025-01-14T18:04:20.259Z",
"dateReserved": "2024-12-05T21:43:30.764Z",
"dateUpdated": "2025-09-09T23:46:24.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47966 (GCVE-0-2025-47966)
Vulnerability from nvd – Published: 2025-06-05 20:59 – Updated: 2025-07-11 16:36 Exclusively Hosted Service
VLAI?
Title
Power Automate Elevation of Privilege Vulnerability
Summary
Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.
Severity ?
9.8 (Critical)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power Automate for Desktop |
Affected:
N/A
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-07T03:55:20.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power Automate for Desktop",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"versionStartIncluding": "N/A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-06-05T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T16:36:32.561Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Power Automate Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47966"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Power Automate Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-47966",
"datePublished": "2025-06-05T20:59:02.172Z",
"dateReserved": "2025-05-14T14:13:13.465Z",
"dateUpdated": "2025-07-11T16:36:32.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29817 (GCVE-0-2025-29817)
Vulnerability from nvd – Published: 2025-04-15 16:10 – Updated: 2025-06-04 17:52
VLAI?
Title
Microsoft Power Automate Desktop Information Disclosure Vulnerability
Summary
Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.
Severity ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power Automate for Desktop |
Affected:
1.0.0.0 , < 2.51.349.24355
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T17:52:51.533548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T17:53:01.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power Automate for Desktop",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2.51.349.24355",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.51.349.24355",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-04-15T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T17:52:49.863Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Power Automate Desktop Information Disclosure Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29817"
}
],
"title": "Microsoft Power Automate Desktop Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-29817",
"datePublished": "2025-04-15T16:10:04.855Z",
"dateReserved": "2025-03-11T22:56:43.942Z",
"dateUpdated": "2025-06-04T17:52:49.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21187 (GCVE-0-2025-21187)
Vulnerability from nvd – Published: 2025-01-14 18:04 – Updated: 2025-09-09 23:46
VLAI?
Title
Microsoft Power Automate Remote Code Execution Vulnerability
Summary
Microsoft Power Automate Remote Code Execution Vulnerability
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Power Automate for Desktop |
Affected:
1.0.0.0 , < 2.52.62.25009
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T04:55:27.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Power Automate for Desktop",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2.52.62.25009",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.52.62.25009",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-01-14T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Power Automate Remote Code Execution Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T23:46:24.557Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Power Automate Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187"
}
],
"title": "Microsoft Power Automate Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-21187",
"datePublished": "2025-01-14T18:04:20.259Z",
"dateReserved": "2024-12-05T21:43:30.764Z",
"dateUpdated": "2025-09-09T23:46:24.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}