Microsoft Power Platform

2025: Microsoft Power Platform Vulnerability Discovered Giving Outsiders Access to Sensitive Information

NCCC at the end of June published a message^[1] about the discovery of a critical vulnerability in Microsoft Power Automate BDU:2025-07071^[2] with a criticality level of 9.8 (out of 10), which allows you to access credentials over the network and raise authority in the Microsoft Power platform. The developer has released fixes that are recommended to be quickly installed in order to prevent identity theft and hacking of information systems.

Microsoft Power Automate, which was formerly called Microsoft Flow, is a service for automating workflows in the Microsoft ecosystem. It is part of the Microsoft Power Platform product group along with Power BI, Power Apps and Power Virtual Agents. The service allows you to create threads - sequences of actions that are automatically performed after established events or if certain conditions are met.

Microsoft Power Automate is a service from the Microsoft Power Platform product group designed to automate tasks, "Andrei Slobodchikov, an independent information security expert, reminded TAdviser readers. - Since 2022, Microsoft has suspended sales in Russia, and since 2024, it has disabled subscriptions of a number of Russian companies to cloud services. This significantly reduced the number of vulnerable components in Russian companies. However, the product is still used in some companies and can become a vulnerability in the infrastructure.

The error discovered in early June and fixed at its end belongs to the class of obtaining unauthorized access to confidential information (Obtain Sensitive Information) - CWE-200. Typically, this class of errors does not have a very high level of criticality, however, when it can be used to access authentication information in the system over the network, the criticality increases greatly, as in this case. For discovering this vulnerability, Microsoft thanked the researcher under the name Felix B. - the company does not publish other details about him.

Microsoft Power Automate is mainly a cloud Solution SaaS and a desktop application, - Sergey Gordeichik, CEO of SayberOK, explained the situation for TAdviser. - In the public domain on the Internet - in the form of web interfaces - it is practically not placed, with the exception of individual gateways and integrations. As part of technical monitoring, we did not record the active presence of Power Automate among Russian companies - rare copies belong to the Microsoft infrastructure and are located outside the Russian Federation.

Nevertheless, within the infrastructure of corporate customers - it is they who need business process automation components on the Microsoft platform - vulnerable components may still be present. This allows you to use non-upgraded servers for horizontal movement within the corporate network.

Microsoft Power Automate is extremely widespread in Russian organizations, including government organizations, "said TAdviser, Daniil Chernov author of the Solar product. appScreener- Firstly, it is part of many corporate subscriptions Microsoft 365 and is Office used by the overwhelming majority of companies in Russia. Secondly, Power Automate is actively used both in large corporations and government agencies and in the middle business to solve routine tasks: from automatic data processing Excel to the integration of various systems, for example, when automating document management based on "."1C

Thus, the use of a vulnerable product in conjunction with Microsoft 365 and Office, for example, through a macro virus for Excel in a phishing message, can be regarded as a possible option for the primary vector of penetration into the corporate network.

The reason for the criticality of the vulnerability lies in the implementation of the risk: Power Automate returns protected data (tokens, connection strings, environment variables) in response to a specially crafted request without checking access rights, - explained the unexpectedly high level of vulnerability criticality for TAdviser Irina Dmitriyeva, cyber expert and analyst engineer of the Gazinformservice laboratory. - To search for an agent, a network scan is undertaken to detect the listening agent, then a compiled HTTP request is sent to the vulnerable API method with request parameters that cause a data drain. Conceptually, the answer contains a JSON object with confidential information (access token, client secret).

As Andrei Slobodchikov notes, through a specially crafted HTTP request to the Power Automate API, an attacker can obtain information to deceive the authentication system, which, in turn, gives outsiders the opportunity to perform the following malicious actions:

• Manipulate or destroy automated business processes, which can lead to loss of availability and loss of integrity of critical corporate information;
• Elevate privileges with information from a vulnerable component and move further through Microsoft's interconnected services, which can ultimately lead to uncontrolled privileged access to the entire company's infrastructure.

To protect against exploitation of vulnerabilities aimed at disclosing confidential information, such as user credentials and personal data, Irina Dmitriyeva recommends filtering incoming traffic to services that process sensitive data and recording all requests to secret stores and APIs that give sensitive data.

Daniil Chernov also advises correctly configuring network security components and network segmentation to limit access to critical components from outside. It is also worth adhering to the principle of minimal privileges so that in the event of a compromise of one of the network segments, the damage is localized.

It is not recommended to forget about systems for monitoring and detecting intrusions that can detect abnormal activity indicating an attempt to exploit a vulnerability, and help the information security service respond to the threat in a timely manner.

2019: Implementation of RPA features

November 2019 was the month of Microsoft's actual entry into the robotic process automation software market. The corresponding functionality appeared in the Power Platform product, which combines application development and integration services and business intelligence tools.

The platform received the Power Automate process automation solution, which was previously called Microsoft Flow. The new technology now creates interface robots for automation in any application, including those that do not support integration through. API

November 2019 was the month of Microsoft's actual entry into the market of robotic process automation software

Microsoft claims that Power Automate can significantly simplify the automation of processes in an organization, since it does not require knowledge of programming to configure it: the user only needs to demonstrate the execution of an action that he would like to automate.

One of the biggest challenges facing companies is scaling and automating business processes - from digitizing manual and paper processes to automating complex processes that span legacy and modern applications, says James Phillips, Microsoft's corporate vice president of business applications RPA. "In a short time, it became a key technology for solving many of these problems, but, as a rule, a prefabricated solyanka from automation services that still need to be integrated and which need to be controlled before the real work can be done."

Power Automate solves this problem with a simplified interface that allows employees to create and reproduce scenarios for the interaction of a software robot with a person, and then launch bots that can automate the execution of everyday functions, Microsoft said in a statement.^[3]

Notes