Azure Bastion Elevation of Privilege Vulnerability
Azure Bastion vulnerability CVE-2025-49752 is a critical authentication bypass (elevation of privilege) issue impacting all Azure Bastion deployments prior to the patch released on November 20, 2025. This flaw lets an unauthenticated attacker gain administrative access to virtual machines through replaying captured credentials, with a CVSS severity of 10.0.
CVE ID
Vendor
Microsoft
Product
Azure Bastion
Product Version
All Azure Bastion deployments prior to the emergency security patch issued on November 20, 2025; specific version numbers are not provided, but all configurations enabling Bastion for RDP or SSH are affected.
Vulnerability Details
- Authentication Bypass by Capture-replay (CWE-294).
- Attackers can intercept and replay authentication tokens, allowing them to gain administrative (elevated) access to all VMs accessible via Bastion, without any prior authentication or user interaction.
- Severity: CVSS 10.0, with high impact on confidentiality and integrity, low on availability.
- Potential Consequences: Mass compromise of virtual machines, data exfiltration, and lateral movement in cloud environments.
- Learn More: https://nvd.nist.gov/vuln/detail/CVE-2025-49752
Vendor Response
- Patch: Microsoft released an urgent security update on November 20, 2025.
- Mitigation: This vulnerability has already been fully mitigated by Microsoft. It is still advised to implement strong authentication, monitor for suspicious related activities, and conduct security audits on possibly affected systems.
Disclosure Timeline
-
Vulnerability identification and CVE reservation
-
Public disclosure and patch release by Microsoft
-
Emergency advisories and mainstream media coverage
