Azure Document Intelligence Studio Path Traversal Flaw (CVE-2025-30387): Critical Privilege Escalation Risk

Introduction

A critical vulnerability in Azure Document Intelligence Studio On-Prem, identified as CVE-2025-30387, exposes organizations to severe privilege escalation risks. With a CVSS score of 9.8, this flaw allows attackers to bypass directory restrictions remotely, potentially leading to catastrophic data breaches and system compromise.

Affected Systems and Versions

The vulnerability specifically affects:

• Azure Document Intelligence Studio On-Prem versions up to and including 2024.9
• Azure AI services integrated with legacy document processing pipelines

Technical Information

The vulnerability originates from improper sanitization of user-supplied file paths. Attackers exploit this flaw by injecting directory traversal sequences (../) into file-handling requests, allowing unauthorized access to sensitive directories beyond the intended scope. This can result in:

• Privilege escalation by overwriting critical system files
• Data exfiltration by accessing sensitive information such as credentials and API keys
• Potential remote code execution by writing malicious payloads to executable paths

Attack Vectors

• Network-Based Exploitation: Attackers can exploit this vulnerability remotely over HTTP/S without authentication.
• Local File Inclusion (LFI): Exploiting document upload or processing workflows to reference restricted paths.

Proof of Concept

A basic exploit demonstrating the vulnerability:

POST /v1/processDocument HTTP/1.1
Host: intelligence.azure.com
Content-Type: application/json

{
  "filePath": "../../../etc/passwd",
  "operation": "extractText"
}

This request retrieves the system's password file, illustrating unauthorized access to sensitive directories.

Patch Information

Organizations must immediately apply Microsoft's security update (KB5036893) released in May 2025. This patch specifically addresses the vulnerability in Azure Document Intelligence Studio On-Prem.

• Microsoft Security Update KB5036893

Detection Methods

Organizations should monitor HTTP requests for directory traversal patterns (../, %2e%2e%2f). Additionally, log entries indicating access to sensitive system files such as /etc/shadow or Azure credential stores should be flagged immediately as potential indicators of compromise.

Vendor Security History

Microsoft has faced recurring security challenges, particularly with privilege escalation vulnerabilities in Azure. Recent vulnerabilities such as CVE-2025-21415 and CVE-2025-29827 highlight systemic issues in securing Azure's multi-tenant architecture. Microsoft's recent transparency and rapid patching efforts demonstrate a commitment to improving their security posture.

References

• Microsoft Security Response Center
• Zero Day Initiative Analysis
• GBHackers Patch Tuesday Overview
• BleepingComputer Patch Tuesday Coverage
• NVD CVE-2025-30387

Organizations must act swiftly to mitigate this critical vulnerability and protect their Azure environments from potential exploitation.