DHS urges Microsoft customers to update Azure to avoid security flaw

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is urging Microsoft cloud customers to reset their security keys in light of a recent vulnerability that may have exposed customer data.

The flaw, discovered by researchers at Wiz, would have allowed any customer using Microsoft’s Azure Cosmos database to read, write and delete another user’s information without authorization. Cosmos DB is used by thousands of organizations, including Coca-Cola, Exxon Mobil and a number of other Fortune 500 companies.

“Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to secure access to data in Azure Cosmos DB,” CISA wrote in an alert Friday.

Microsoft reported in a blog Friday that it contacted customers who had the Azure Cosmos feature that contained the vulnerability activated during the period the researchers tracked the vulnerability. There is no evidence of outsiders accessing any customer data, the company said.

But researchers at Wiz say the vulnerability has been exploitable for roughly two years, which means that many more customers could have been exposed.

“Every Cosmos DB customer should assume they’ve been exposed,” Wiz researchers wrote.

This is the second time this month that CISA has alerted users to an urgent Microsoft vulnerability.

CISA on August 21 issued an urgent warning that cybercriminals were actively exploiting a months-old vulnerability in Microsoft ProxyShell to attack company servers and send ransomware.