CVE-2025-30387 is a critical security vulnerability classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. This vulnerability affects Microsoft Azure AI Document Intelligence Studio version 1.0.0. The flaw allows an unauthorized attacker to manipulate file path inputs to access files and directories outside the intended restricted directory boundaries. By exploiting this path traversal, an attacker can potentially read, modify, or execute files that should be inaccessible, leading to privilege escalation over the network without requiring any authentication or user interaction. The CVSS v3.1 base score of 9.8 reflects the severity, highlighting that the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is publicly disclosed as of May 13, 2025, but no known exploits in the wild have been reported yet. The absence of patch links suggests that a fix may not have been released at the time of this report, increasing the urgency for organizations to monitor updates and apply mitigations promptly. Given that Azure AI Document Intelligence Studio is a cloud-based AI service used for document processing and analysis, exploitation could lead to unauthorized data access, manipulation of AI workflows, and disruption of document processing pipelines, severely impacting business operations and data security.

For European organizations, the impact of CVE-2025-30387 can be significant due to the widespread adoption of Microsoft Azure services across Europe, including Azure AI offerings. Organizations relying on Azure AI Document Intelligence Studio for processing sensitive documents—such as financial institutions, healthcare providers, legal firms, and government agencies—face risks of unauthorized data exposure and potential data integrity violations. The ability to elevate privileges remotely without authentication means attackers could gain control over document processing environments, leading to data breaches, intellectual property theft, and operational disruptions. This could also result in non-compliance with stringent European data protection regulations such as GDPR, exposing organizations to legal and financial penalties. Additionally, the disruption of AI workflows could degrade service quality and trust in automated document processing solutions, impacting business continuity and customer confidence.

Given the critical nature of this vulnerability and the lack of an immediate patch, European organizations should implement several specific mitigations: 1) Restrict network access to Azure AI Document Intelligence Studio instances using Azure Firewall and Network Security Groups (NSGs) to limit exposure to trusted IP addresses and internal networks only. 2) Employ Azure Role-Based Access Control (RBAC) to enforce the principle of least privilege, ensuring that only authorized users and services can interact with the AI Document Intelligence Studio. 3) Monitor and audit file access logs and AI service activity using Azure Monitor and Azure Security Center to detect anomalous access patterns indicative of exploitation attempts. 4) Use Azure Private Link or service endpoints to isolate the service from public internet exposure. 5) Implement input validation and sanitization at the application layer if custom integrations exist, to prevent malicious path inputs. 6) Stay informed on Microsoft security advisories and apply patches or updates immediately upon release. 7) Consider deploying Web Application Firewalls (WAF) or Intrusion Detection/Prevention Systems (IDS/IPS) that can detect and block path traversal attack signatures targeting Azure services.