Introduction
Attackers gaining administrative access to Azure-hosted virtual machines through a single network request is a scenario no cloud security team wants to face. CVE-2025-49752 is a critical authentication bypass vulnerability in Azure Bastion that could allow remote privilege escalation, directly impacting the security of cloud infrastructure for organizations worldwide.
Azure Bastion is a managed service from Microsoft that provides secure RDP and SSH connectivity to virtual machines in Azure without exposing those VMs directly to the internet. It is widely deployed by enterprises for centralized, secure administrative access.
Technical Information
CVE-2025-49752 is categorized as CWE-294 (Authentication Bypass by Capture-replay). This vulnerability class involves attackers intercepting valid authentication tokens or credentials and replaying them to gain unauthorized access. In Azure Bastion, this could allow a remote attacker to escalate privileges to an administrative level, potentially granting access to all VMs reachable via the Bastion host.
The vulnerability is remotely exploitable, requires no user interaction, and targets the authentication mechanisms within the Bastion service. The CVSS score of 10.0 reflects the fact that exploitation can occur over the network without prior authentication or special privileges. No public code snippets or detailed root cause disclosures are available as of the reporting date. No proof of concept or exploitation in the wild has been reported.
Affected Systems and Versions
- Product: Microsoft Azure Bastion
- Affected: All Azure Bastion deployments prior to the security update released on November 20, 2025
- No specific version numbers or SKU restrictions have been published in available advisories
- All configurations using Azure Bastion for RDP or SSH access are potentially affected
Vendor Security History
Microsoft Azure has experienced multiple critical privilege escalation vulnerabilities in 2025, including:
- CVE-2025-54914 (Azure Networking, CVSS 10.0)
- CVE-2025-29827 (Azure Automation, CVSS 9.9)
- CVE-2025-55241 (Azure Entra ID, CVSS 9.0)
Microsoft maintains a monthly patch cycle and has launched the Secure Future Initiative to improve security development. Despite these efforts, recurring authentication and privilege escalation issues have been observed across Azure services.
