Microsoft: Power Automate with critical gap, end for end customer version
Microsoft reports a critical security vulnerability in Power Automate. Support for personal service accounts is also ending.
(Image: Den Rise/shutterstock.com)
Microsoft has discovered a critical security vulnerability in the Robotic Process Automation (RPA) tool Power Automate (also known as Power Automate Desktop). Server-side updates will patch it. It has also now been announced that Microsoft is discontinuing support for personal service accounts. Users will have to switch to a paid Azure subscription.
Microsoft does not provide many details about the vulnerability in the vulnerability entry. Unauthorized attackers can access sensitive information, which allows them to extend their rights over the network (CVE-2025-47966 / EUVD-2025-17028, CVSS 9.8, risk “critical”). The good news: “The vulnerability documented by this CVE does not require any customer action to fix,” writes Microsoft, as the vulnerability has already been patched by developers on Microsoft servers.
End for personal Microsoft services accounts in Power Automate
Last week, Microsoft began heralding the end of personal Microsoft service accounts in Power Automate. In a support article, Microsoft explains that the process will be completed on July 26. From then on, those who want to continue using Power Automate will have to create an Azure account and take out a Power Apps developer subscription. After that, it will also be necessary to export the existing automations and import them into the new environment.
Videos by heise
From July 27 of this year, users will no longer be able to log in to the Power Automate portal or mobile app with personal email accounts from gmail.com or outlook.com, for example. They will also no longer be able to create, edit or manage cloud flows. In addition, access to all cloud flows with Microsoft service accounts will be permanently removed and these will be deleted.
There is also a free version of Power Automate, which is linked to a Windows 10 license, for example. However, Microsoft continues to support the software, including with personal email accounts. However, there is some confusion about the patch status – as this apparently does not refer to the cloud version, an update should also be available for the local application. However, Microsoft does not mention this in the vulnerability report, but explicitly mentions the product name “Power Automate Desktop”.
(dmk)
