Roles such as “Managed Applications Reader,” “Log Analytics Reader,” and “Monitoring Reader” mislead administrators into believing they provide narrow, service-specific access when they actually grant comprehensive read permissions across all Azure resources within their assigned scope. Security researchers have identified a combination of over-privileged built-in roles and API implementation flaws that create dangerous attack vectors for malicious actors seeking to compromise cloud infrastructure and on-premises networks. The discovery encompasses ten Azure built-in roles that contain the problematic “*/read” permission, effectively granting users access to 9,618 different Azure actions. An attacker who compromises an identity with seemingly limited permissions can leverage the over-privileged roles to conduct reconnaissance and then exploit the VPN key leak to gain network access. Microsoft acknowledged the VPN vulnerability as “Important” severity and awarded researchers a $7,500 bounty, while classifying the over-privileged roles as “low severity” and opting to update documentation rather than fix the underlying permission issues. Microsoft Azure’s role-based access control system has been found to contain critical security vulnerabilities that could expose enterprise networks to unauthorized access. The researchers also uncovered a separate but related vulnerability in Azure’s API implementation that allows users with basic read permissions to extract VPN pre-shared keys through a specific endpoint. The vulnerabilities center around Azure’s Role-Based Access Control (RBAC) system, which governs permissions across the cloud platform’s extensive service ecosystem. These roles, intended for limited administrative functions, actually provide the equivalent of full read access across entire Azure subscriptions. The universal read permissions enable attackers to enumerate storage accounts, database instances, network configurations, and backup vaults, providing detailed intelligence for planning sophisticated attacks. Using the universal read permissions, they can enumerate Azure VPN Gateway configurations and extract pre-shared keys through the vulnerable API endpoint. With these keys, attackers can establish rogue site-to-site VPN connections, effectively joining the organization’s private network infrastructure and gaining access to both cloud resources and on-premises systems connected through the same gateway. More concerning, the permissions allow access to deployment scripts, automation accounts, and web application configurations that frequently contain embedded credentials and sensitive environment variables.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Jul 2025 03:55:09 +0000