CVE-2025-30387 is a critical security vulnerability classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. This vulnerability affects Microsoft Azure AI Document Intelligence Studio version 1.0.0. The flaw allows an unauthorized attacker to manipulate file path inputs to access directories and files outside the intended restricted directory boundaries. By exploiting this vulnerability over the network, an attacker can elevate privileges, potentially gaining unauthorized access to sensitive files or system resources. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely. The CVSS v3.1 base score is 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability. The attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, meaning the vulnerability affects the same security authority. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make it a significant threat. The vulnerability could lead to unauthorized data disclosure, modification, or deletion, and potentially allow attackers to execute arbitrary code or disrupt services within Azure AI Document Intelligence Studio environments.

For European organizations using Microsoft Azure AI Document Intelligence Studio, this vulnerability poses a severe risk. The ability for an attacker to perform path traversal and elevate privileges remotely could lead to unauthorized access to sensitive documents and intellectual property processed or stored within the AI Document Intelligence Studio environment. This could result in data breaches involving personal data protected under GDPR, leading to regulatory fines and reputational damage. Additionally, integrity and availability impacts could disrupt business operations relying on document processing workflows, causing operational downtime and financial losses. Given the critical CVSS score and network exploitability without authentication, attackers could target European enterprises, government agencies, and critical infrastructure sectors leveraging Azure services. The risk is amplified for organizations with sensitive or regulated data, including financial institutions, healthcare providers, and public sector entities. The vulnerability also raises concerns about supply chain security, as compromised AI document processing could propagate malicious data or misinformation.

To mitigate this vulnerability, European organizations should immediately apply any patches or updates released by Microsoft for Azure AI Document Intelligence Studio. In the absence of patches, organizations should implement strict input validation and sanitization on all file path parameters to prevent traversal sequences such as '../'. Network-level controls should be enforced to restrict access to the Azure AI Document Intelligence Studio environment to trusted IP ranges and use network segmentation to limit exposure. Employing Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts can provide an additional layer of defense. Monitoring and logging file access patterns and anomalous activities related to file system operations within the Azure environment should be enhanced to detect exploitation attempts early. Organizations should also review and enforce the principle of least privilege for service accounts and users interacting with the AI Document Intelligence Studio to minimize potential damage from a successful exploit. Finally, conducting regular security assessments and penetration testing focused on path traversal and related vulnerabilities in cloud services is recommended to proactively identify and remediate weaknesses.