Azure API Vulnerabilities Leak VPN Keys and Built-In Roles Allow Over-Privileged Access

Microsoft Azure’s role-based access control system has been found to contain critical security vulnerabilities that could expose enterprise networks to unauthorized access.

Security researchers have identified a combination of over-privileged built-in roles and API implementation flaws that create dangerous attack vectors for malicious actors seeking to compromise cloud infrastructure and on-premises networks.

The vulnerabilities center around Azure’s Role-Based Access Control (RBAC) system, which governs permissions across the cloud platform’s extensive service ecosystem.

What appears to be a fundamental design flaw has resulted in numerous service-specific roles inadvertently granting far broader permissions than their names and descriptions suggest.

These roles, intended for limited administrative functions, actually provide the equivalent of full read access across entire Azure subscriptions.

The discovery encompasses ten Azure built-in roles that contain the problematic “*/read” permission, effectively granting users access to 9,618 different Azure actions.

Roles such as “Managed Applications Reader,” “Log Analytics Reader,” and “Monitoring Reader” mislead administrators into believing they provide narrow, service-specific access when they actually grant comprehensive read permissions across all Azure resources within their assigned scope.

Token analysts identified that these over-privileged roles create significant security risks beyond simple information disclosure.

The universal read permissions enable attackers to enumerate storage accounts, database instances, network configurations, and backup vaults, providing detailed intelligence for planning sophisticated attacks.

More concerning, the permissions allow access to deployment scripts, automation accounts, and web application configurations that frequently contain embedded credentials and sensitive environment variables.

The researchers also uncovered a separate but related vulnerability in Azure’s API implementation that allows users with basic read permissions to extract VPN pre-shared keys through a specific endpoint.

This flaw stems from inconsistent permission enforcement across different HTTP methods, where Azure typically restricts sensitive operations to POST requests but accidentally implemented the VPN key retrieval function as a GET request.

Attack Chain Exploitation

The most dangerous aspect of these vulnerabilities lies in their combination to create a complete attack chain targeting hybrid cloud environments.

An attacker who compromises an identity with seemingly limited permissions can leverage the over-privileged roles to conduct reconnaissance and then exploit the VPN key leak to gain network access.

The attack sequence begins when an attacker obtains credentials for an identity assigned one of the problematic roles.

Using the universal read permissions, they can enumerate Azure VPN Gateway configurations and extract pre-shared keys through the vulnerable API endpoint.

With these keys, attackers can establish rogue site-to-site VPN connections, effectively joining the organization’s private network infrastructure and gaining access to both cloud resources and on-premises systems connected through the same gateway.

Microsoft acknowledged the VPN vulnerability as “Important” severity and awarded researchers a $7,500 bounty, while classifying the over-privileged roles as “low severity” and opting to update documentation rather than fix the underlying permission issues.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now