Partner Center privilege escalation (CVE-2026-24303)

Patch now - CVE-2026-24303 is a critical privilege escalation in Microsoft Partner Center that lets an attacker with low-privilege credentials gain full administrative access over the network, compromising partner resources and customer data. Apply the security update through the Partner Center admin portal immediately.

Overview

A critical improper access control vulnerability in Microsoft Partner Center allows an authorized attacker to elevate privileges over the network. Microsoft has not confirmed active exploitation of this vulnerability, but the low attack complexity and low privileges required make it a serious risk for Partner Center users.

Vulnerability Details

CVE-2026-24303 has been assigned a CVSS score of 9.6 due to the following characteristics:

• Attack Vector: Network – the attacker does not need physical access
• Attack Complexity: Low – no special conditions are required
• Privileges Required: Low – the attacker only needs basic user-level access
• User Interaction: None – the attack can be executed without tricking a user

The vulnerability stems from improper access control within Microsoft Partner Center. An attacker with valid but low-privilege Partner Center credentials can leverage this flaw to gain elevated privileges, potentially accessing partner resources and sensitive customer data they should not be able to reach.

Impact

If exploited, this vulnerability could allow an attacker to:

• Access partner account management features reserved for higher-privilege roles
• View or modify customer subscription details and billing information
• Deploy services or provision resources under the partner’s identity
• Potentially pivot to other Microsoft cloud services accessible through Partner Center

For managed service providers and organizations using Microsoft Partner Center for customer management, this represents a significant business risk.

Affected Systems

Microsoft has not yet published a full list of affected Partner Center versions. Organizations should assume all currently supported versions are impacted until patched.

Remediation

Microsoft has released an update for Partner Center to address this vulnerability. Apply the security update through the Partner Center admin portal as soon as possible. No workarounds are available.

Mitigation

If you cannot immediately update, consider the following temporary measures:

• Review and audit all Partner Center user accounts for appropriate privilege levels
• Enforce multi-factor authentication on all Partner Center accounts
• Monitor Partner Center audit logs for unusual privilege escalation attempts
• Limit Partner Center access to only those users who require it for their role

Security Insight

CVE-2026-24303 follows a pattern of cloud platform access control vulnerabilities that turn partner ecosystems into attack vectors. Much like recent privilege escalation flaws in cloud management portals, this vulnerability underscores how third-party access in partner programs can become a weak link. Microsoft’s cloud architecture continues to expand partner capabilities, but each new integration point requires rigorous access control validation to prevent lateral movement between partner organizations and their customer tenants. For broader context on recent threat activities, see our weekly roundup covering APT28’s DNS hijacking operations, their exploitation of SOHO routers for credential theft, and Storm-1175’s zero-day exploitation for Medusa ransomware deployment.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs