Critical Vulnerability in Azure Bastion Let Attackers Bypass Authentication and Escalate privileges

A critical vulnerability in Azure Bastion (CVE-2025-49752) allows remote attackers to bypass authentication mechanisms and escalate privileges to administrative levels.\n\nThe vulnerability undermines this security model by enabling attackers to gain administrative access through a single network request, potentially compromising all virtual machines accessible through the Bastion host.\n\nAccording to zeropath, the vulnerability stems from improper handling of authentication tokens within the Bastion service. Attackers can intercept and replay valid authentication credentials to bypass security controls and assume administrative privileges.\n\nWith a CVSS score of 10.0, this vulnerability represents the highest severity classification, indicating it is remotely exploitable, requires no user interaction, and demands no prior authentication.\n\nTo read the complete article see:\nRead more