A newly identified flaw in Azure Bastion, tracked as CVE 2025 49752, presents a serious security risk for organizations depending on the service for secure remote access. The vulnerability allows remote attackers to bypass authentication controls and escalate privileges to the administrative level. Since Azure Bastion is widely used to manage cloud based virtual machines, the flaw significantly increases the potential impact of unauthorized access.
How the Vulnerability Works
Researchers at Zeropath confirmed that the issue stems from incorrect processing of authentication tokens within the Bastion service. By exploiting this weakness, attackers can capture and replay valid authentication credentials, which lets them completely skip normal security checks and assume administrative privileges.
The attack requires only one network request. No user involvement, special permissions, or physical access is necessary. This means any attacker on the network can take control of the Bastion host and all connected virtual machines.
Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE 2025 49752 |
| Vulnerability Type | Authentication Bypass (CWE 294) |
| CVSS Score | 10.0 Critical |
| Affected Product | Microsoft Azure Bastion, all versions before Nov 20 2025 |
| Attack Vector | Network |
| Impact | Remote privilege escalation to the administrative level |
A CVSS score of 10.0 indicates the highest possible severity. The flaw is remotely exploitable, requires no authentication, and needs no interaction from the victim.
A Growing Pattern of Azure Security Issues
CVE 2025 49752 adds to a series of similar critical flaws disclosed in 2025, including CVE 2025 54914 and CVE 2025 29827. These repeated authentication related problems raise concerns about the overall security of Azure environments, even under Microsoft’s Secure Future Initiative, which aims to enhance secure development practices.
Patch Status
Microsoft has not provided exact version numbers but confirmed that all Azure Bastion deployments prior to November 20 2025 are vulnerable. Organizations must ensure they have applied the latest patch immediately.
Recommended Mitigation Steps
- Patch all Azure Bastion instances without delay.
- Audit administrative access logs to detect unusual or unauthorized activity.
- Review network segmentation to ensure Bastion hosts are not exposed to unnecessary interfaces.
- Reevaluate access control policies to minimize lateral movement risks.
- Monitor for token replay attempts or suspicious authentication events.
