CVE-2025-49752
📋 TL;DR
CVE-2025-49752 is an elevation of privilege vulnerability in Azure Bastion that allows authenticated attackers to gain unauthorized administrative access to Azure Bastion resources. This affects organizations using Azure Bastion for secure remote access to Azure virtual machines. Attackers could potentially compromise the Bastion service and pivot to connected virtual machines.
💻 Affected Systems
- Microsoft Azure Bastion
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Azure Bastion service leading to unauthorized administrative access to all connected virtual machines, data exfiltration, and lateral movement across the Azure environment.
Likely Case
Unauthorized administrative access to Azure Bastion resources allowing attackers to intercept or manipulate remote sessions to virtual machines.
If Mitigated
Limited impact with proper network segmentation, least privilege access controls, and monitoring in place.
🎯 Exploit Status
Requires authenticated access to Azure. The CWE-294 (Authentication Bypass by Capture-replay) suggests this may involve credential or session manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest Azure Bastion service update (automatically applied by Microsoft)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49752
Restart Required: No
Instructions:
1. No customer action required for patching. 2. Microsoft automatically applies security updates to Azure Bastion service. 3. Ensure your Azure subscription is configured to receive automatic updates.
🔧 Temporary Workarounds
Restrict Azure Bastion Access
allLimit which users and applications can access Azure Bastion using Azure RBAC and network security groups.
az role assignment create --assignee <user-principal-name> --role 'Bastion Reader' --scope <bastion-resource-id>
Enable Just-in-Time VM Access
allConfigure Just-in-Time access for virtual machines to limit exposure time.
az vm jit create --resource-group <rg-name> --name <vm-name> --ports 3389 --source-addresses <allowed-ips>
🧯 If You Can't Patch
- Disable Azure Bastion and use alternative secure access methods like VPN or ExpressRoute with network security groups.
- Implement strict network segmentation and monitor all Bastion access attempts with Azure Monitor and Sentinel.
🔍 How to Verify
Check if Vulnerable:
Check if your Azure Bastion service is running the latest version via Azure Portal or CLI: az bastion show --name <bastion-name> --resource-group <rg-name>Check Version:
az bastion show --name <bastion-name> --resource-group <rg-name> --query 'provisioningState'Verify Fix Applied:
Verify the service has been updated by checking the last update timestamp in Azure Portal under Bastion resource properties.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns in Azure AD logs
- Multiple failed authentication attempts followed by successful Bastion access
- Unexpected administrative actions on Bastion resources
Network Indicators:
- Unusual RDP/SSH traffic patterns from Bastion to VMs
- Multiple concurrent sessions from single user
SIEM Query:
AzureActivity | where OperationNameValue contains 'Microsoft.Network/bastionHosts' | where Caller != expected_admin_users