Plattform
dotnet
Komponente
microsoft-power-apps
CVE-2025-47733 describes a Server-Side Request Forgery (SSRF) vulnerability within Microsoft Power Apps. This flaw allows an unauthorized attacker to potentially disclose sensitive information by manipulating the application to make requests to unintended internal or external resources. The vulnerability impacts versions of Power Apps prior to a patch release, and Microsoft is expected to release an update to address this issue.
The SSRF vulnerability in Microsoft Power Apps presents a significant risk because it allows attackers to bypass security controls and access resources they shouldn't. An attacker could craft malicious Power Apps workflows that send requests to internal services, databases, or even external websites, potentially exposing sensitive data like API keys, credentials, or internal network configurations. This could lead to data breaches, unauthorized access to systems, and potential lateral movement within the network. The impact is amplified if Power Apps is integrated with other critical business applications, as the vulnerability could be exploited to compromise those systems as well.
CVE-2025-47733 was publicly disclosed on 2025-05-08. The CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code is not yet available, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. Monitor CISA and Microsoft security advisories for updates and potential KEV listing.
Organizations heavily reliant on Microsoft Power Apps for business processes, particularly those integrating with internal systems or APIs, are at significant risk. Environments with weak network segmentation or inadequate input validation are especially vulnerable. Any deployment of Power Apps prior to the fixed version is potentially exposed.
• windows / dotnet: Monitor Power Apps logs for outbound requests to unexpected internal or external IP addresses or domains. Use PowerShell to check for unusual network connections initiated by Power Apps processes.
Get-Process -Name "PowerAppsService" | ForEach-Object { Get-NetTCPConnection -OwningProcess $_.Id }• generic web: Monitor web server access logs for requests originating from Power Apps that target internal resources. Examine response headers for signs of SSRF exploitation (e.g., unusual server names or IP addresses). • database (mysql, redis, mongodb, postgresql): While less direct, monitor database logs for unusual connection attempts or queries originating from Power Apps, which could indicate an attacker attempting to leverage SSRF to access database information.
disclosure
Exploit-Status
EPSS
2.92% (86% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-47733 is to upgrade to a patched version of Microsoft Power Apps as soon as it becomes available. Until the patch is applied, consider implementing temporary workarounds to restrict outbound network access from Power Apps workflows. This could involve configuring network firewalls to block connections to specific internal or external resources. Additionally, review and audit existing Power Apps workflows to identify any potentially vulnerable configurations. While a full fix requires patching, these measures can significantly reduce the attack surface.
Microsoft hat ein Sicherheitsupdate veröffentlicht, um diese Schwachstelle zu beheben. Es wird empfohlen, so bald wie möglich das neueste verfügbare Update für Microsoft Power Pages anzuwenden. Weitere Informationen und spezifische Anweisungen finden Sie im Microsoft Security Bulletin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-47733 is a critical SSRF vulnerability in Microsoft Power Apps that allows unauthorized attackers to disclose information over a network by manipulating application requests.
You are affected if you are using Microsoft Power Apps versions prior to the fixed version. Check your version and upgrade immediately.
Upgrade Microsoft Power Apps to the fixed version. Implement network segmentation and strict input validation as interim measures.
While no public exploits are currently available, the vulnerability's nature suggests a high likelihood of exploitation. Monitor your environment closely.
Refer to the official Microsoft Security Update Guide for CVE-2025-47733 for detailed information and the fixed version.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine packages.lock.json-Datei hoch und wir sagen dir sofort, ob du betroffen bist.