A critical information disclosure vulnerability in Azure DevOps allows unauthenticated attackers to exfiltrate sensitive data, necessitating immediate attention.

The vulnerability stems from an insecure configuration or design flaw that exposes sensitive information to unauthenticated actors, permitting unauthorized network-based disclosure.

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. Unauthorized access to Azure DevOps could result in a complete compromise of source code, deployment pipelines, and environment secrets, leading to catastrophic reputational damage and operational disruption.

Immediate Action: Update Azure DevOps to the latest version immediately to close the information exposure gap.

Proactive Monitoring: Audit access logs for unauthorized API requests and monitor network traffic for suspicious egress patterns originating from the DevOps environment.

Compensating Controls: Ensure the instance is not exposed to the public internet and enforce Multi-Factor Authentication (MFA) and IP allow-listing for all access.

Public Exploit Available: No

Organizations utilizing Azure DevOps must treat this as a high-priority remediation task. Immediate patching is required to prevent unauthorized access to sensitive development infrastructure and proprietary codebases.