CVE-2025-47733 – This Server-Side Request Forgery (SSRF) vulnera... (How to Fix)

Q: What is the severity of CVE-2025-47733?

CVE-2025-47733 has a CVSS score of 9.1 (CRITICAL). This Server-Side Request Forgery (SSRF) vulnerability in Microsoft Power Apps allows attackers to make unauthorized requests from the server to internal or external systems, potentially exposing sensitive data. Organizations using affected Power Apps configurations are vulnerable to information disclosure attacks.

📋 TL;DR

This Server-Side Request Forgery (SSRF) vulnerability in Microsoft Power Apps allows attackers to make unauthorized requests from the server to internal or external systems, potentially exposing sensitive data. Organizations using affected Power Apps configurations are vulnerable to information disclosure attacks.

💻 Affected Systems

Products:

Microsoft Power Apps

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows Server (hosting Power Apps)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Power Apps configurations that process untrusted URLs or user input for server-side requests.

📦 What is this software?

Power Apps by Microsoft

View all CVEs affecting Power Apps →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal systems, cloud metadata services, or sensitive data stores, leading to full network compromise and data exfiltration.

🟠

Likely Case

Information disclosure from internal services, cloud metadata endpoints, or adjacent systems accessible from the Power Apps server.

🟢

If Mitigated

Limited impact with proper network segmentation and input validation controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities typically have low exploitation complexity when attackers can control URL parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47733

Restart Required: Yes

Instructions:

1. Apply latest Microsoft Power Apps updates via Microsoft Update
2. Restart affected Power Apps services
3. Validate functionality after patching

🔧 Temporary Workarounds

Input Validation and URL Whitelisting

all

Implement strict input validation and whitelist allowed URLs for server-side requests

Network Segmentation

all

Restrict Power Apps server network access to only required internal services

🧯 If You Can't Patch

Implement strict input validation for all URL parameters in Power Apps
Deploy network controls to restrict outbound connections from Power Apps servers

🔍 How to Verify

Check if Vulnerable:

Review Power Apps configuration for URL processing functions and test with controlled SSRF payloads

Check Version:

Check Power Apps version in Microsoft 365 admin center or PowerShell: Get-PowerApp

Verify Fix Applied:

Verify Power Apps version is updated and test SSRF attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Power Apps servers
Requests to internal IP ranges or metadata endpoints

Network Indicators:

Power Apps servers making unexpected external requests
Requests to cloud metadata services (169.254.169.254)

SIEM Query:

source="PowerApps" AND (dest_ip=169.254.169.254 OR dest_ip IN [RFC1918 ranges])

📊 Metadata

CVE ID: CVE-2025-47733

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

EPSS Score: 1.69% exploit probability (81.9th percentile)

Published: May 8, 2025

Last Updated: May 21, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47733 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47733, you might also want to check these: