Microsoft Patches Critical Authentication Bypass Vulnerability (CVE-2025-49752) in Azure Bastion

Executive Summary

Microsoft has patched a critical authentication bypass vulnerability in its Azure Bastion service, a managed solution for secure RDP and SSH access to Azure virtual machines. The vulnerability, tracked as CVE-2025-49752, has been assigned the maximum possible CVSS score of 10.0, signifying its extreme severity. The flaw allows a remote, unauthenticated attacker to completely bypass authentication and gain administrative access to all VMs managed by a vulnerable Bastion host. The attack involves capturing and replaying authentication tokens. Microsoft has released a patch, and all Azure Bastion instances created before November 20, 2025, are considered vulnerable. Customers are strongly advised to verify their deployments are updated to prevent a potential full-scale compromise of their cloud infrastructure.

Vulnerability Details

CVE-2025-49752 is an authentication bypass vulnerability stemming from a flaw in how Azure Bastion handles authentication tokens. It is classified as CWE-294 (Authentication Bypass by Capture-replay).

The attack scenario is as follows:

1. An attacker who can position themselves to intercept network traffic to the Azure Bastion host (e.g., via a Man-in-the-Middle attack) can capture a valid authentication token from a legitimate user's session.
2. The attacker can then replay this captured token in a single, specially crafted network request to the Bastion host.
3. The vulnerability in Azure Bastion causes it to improperly validate the replayed token, granting the attacker an authenticated session with administrative privileges over the Bastion host itself.

Because the Bastion host is a gateway to all connected virtual machines, this compromise effectively gives the attacker administrative access (RDP/SSH) to the entire fleet of VMs it manages. The attack requires no privileges and no user interaction beyond a legitimate user simply using the service.

Exploitation Status

There is currently no public evidence of this vulnerability being exploited in the wild. Microsoft discovered and patched the flaw, and the disclosure appears to be coordinated. However, given its critical nature and the simplicity of the described attack, proof-of-concept exploits are likely to be developed quickly, making immediate remediation essential.

Affected Systems

• All Microsoft Azure Bastion deployments created before November 20, 2025.

Microsoft's advisory implies that the fix is automatically rolled out to the managed service. However, customers are urged to verify the status of their deployments. The issue highlights a potential pattern of authentication-related weaknesses in Azure services, following other critical privilege escalation flaws in Azure Networking and Azure Automation earlier in the year.

Impact Assessment

A successful exploit of CVE-2025-49752 is catastrophic for an organization using Azure Bastion. The service is designed to be a secure, hardened gateway to critical infrastructure. Its compromise completely undermines this security model.

An attacker could:

• Gain full administrative access to every Windows and Linux virtual machine connected to the Bastion host.
• Deploy ransomware across the entire cloud environment.
• Exfiltrate sensitive data from all compromised VMs.
• Establish persistence within the Azure environment.
• Use the compromised VMs as a launchpad for further attacks.

The vulnerability effectively turns a key defensive asset into a single point of failure and a primary target for attackers.

IOCs

No IOCs are available as there is no known in-the-wild exploitation.

Cyber Observables for Detection

Detection Methods

Detecting a sophisticated capture-replay attack can be challenging.

1. Log Analysis: Ingest Azure Bastion diagnostic logs into a Log Analytics Workspace or SIEM. Create analytics rules to look for anomalies in session establishment. For example, a single user account establishing multiple, concurrent Bastion sessions from geographically dispersed IP addresses would be highly suspicious. This is a form of D3-UGLPA: User Geolocation Logon Pattern Analysis.

2. Audit and Verification: The most practical detection method is to ensure the patch has been applied. Microsoft has not provided a clear method for customers to verify the patch status, but organizations should check their Azure Service Health dashboard for any notifications related to this vulnerability and open a support ticket with Microsoft if they are unsure.

Remediation Steps

Since Azure Bastion is a managed PaaS (Platform-as-a-Service) offering, the primary remediation is performed by Microsoft.

1. Ensure Updates are Applied: Microsoft has stated that a security patch has been released. For most customers, this patch should be applied automatically. However, it is critical to confirm this. Review the Azure Service Health dashboard and any direct communications from Microsoft.

2. Re-deploy Bastion Host (If Necessary): As a precautionary measure, or if advised by Microsoft, consider deleting and re-deploying your Azure Bastion host. Any new deployment created after November 20, 2025, will include the patch. This is a form of D3-PH: Platform Hardening by ensuring the latest secure version is deployed.

3. Review Access Logs: Proactively review all Azure Bastion access logs since its deployment for any suspicious or unexplained sessions. If any are found, assume the connected VMs have been compromised and trigger a full incident response.