Critical Authentication Bypass in Microsoft Azure Bastion Allows Remote Administrative Access (CVE-2025-49752)
November 26th, 2025
Critical
%20Enables%20Root-Level%20Backdoor%20Acces.jpg)
Our Cyber Threat Intelligence Unit is monitoring CVE-2025-49752, a critical authentication-bypass and privilege-escalation vulnerability impacting Microsoft Azure Bastion. First recorded in Microsoft’s Security Update Guide on November 20, 2025, it allows remote, unauthenticated attackers to gain unauthorized access to Azure Bastion sessions by capturing and replaying intercepted authentication tokens (CWE-294). Azure Bastion provides high-trust access to RDP and SSH connectivity for Azure virtual machines. A successful exploit can allow attackers elevated administrative access to downstream VMs, undermining workload isolation and exposing sensitive environments. While no public proof-of-concept or exploitation in the wild has been reported to date, unpatched Bastion instances should be treated as high-risk exposure points and validated to ensure that they are covered by Microsoft’s November 20, 2025, backend update.
Technical Details
CVE ID: CVE-2025-49752
Severity: Critical (CVSS 10.0)
Vulnerability Type: Authentication Bypass via Capture-Replay (CWE-294).
Attack Chain:
The vulnerability exists within Azure Bastion’s authentication flow, where captured authentication tokens or credentials can be replayed to bypass regular validation.
An attacker intercepts valid authentication material during a Bastion sign-in, then replays it to Bastion’s authentication endpoints.
Due to insufficient validation against token reuse, the replayed session is accepted, granting unauthorized access to Bastion-brokered RDP/SSH connections.
The attack is fully remote, requires no prior authentication, and does not require user interaction.
Affected Services:
All Azure Bastion deployments provisioned before Microsoft’s November 20, 2025, update.
Impact extends to all Azure VMs accessed through the affected Bastion instance.
Root Cause (CWE Mapping):
CWE-294: Azure Bastion’s authentication process fails to adequately resist or detect replayed authentication material, allowing attackers to impersonate legitimate users.
Impact
Successful exploitation of CVE-2025-49752 may allow remote attackers to obtain administrative-level access to Bastion-mediated RDP or SSH sessions, possibly resulting in:
Unauthorized control of Azure VMs accessed through Bastion
Privilege escalation through impersonation of legitimate administrators
Execution of arbitrary administrative actions on downstream workloads
Exposure of sensitive data accessed within compromised sessions
Circumvention of network segmentation, JIT access controls, and isolation boundaries
Potential lateral movement across Azure resources
Stealthy, token-based persistence with limited immediate artifacts.
Exploitation of this vulnerability exposes organizations to unauthorized Bastion access, privilege escalation within connected Azure VMs, and compromise of critical workloads.
Detection Method
Organizations should review Azure Bastion environments for signs of unauthorized access or token reuse.
Authentication & Session Indicators:
Bastion RDP/SSH sessions without corresponding Azure AD sign-ins.
Sessions originating from unusual IPs, geographic regions, or user accounts.
Privileged sessions established without MFA, where it is typically required.
Azure Activity Logs:
Inspect Activity Logs for anomalies associated with Bastion connection events, including:
Microsoft.Network/bastionHosts/BeginConnect
Microsoft.Network/bastionHosts/Connect
Look for:
Repeated connection attempts from a single IP.
Sessions occurring at unusual times or outside standard operational windows.
Patterns suggesting reuse of authentication artifacts.
Azure AD Sign-in Logs:
Correlate Bastion connection events with Azure AD sign-ins:
Missing or failed sign-ins preceding a Bastion session.
Sessions violating Conditional Access policies.
Risk detections related to atypical token behavior.
Exposure & Version Checks:
Confirm that all Bastion resources have received Microsoft’s November 20, 2025, update.
Prioritize review of Bastion instances that are publicly accessible or lack NSG restrictions.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediate Actions:
Verify that all Azure Bastion resources are covered by Microsoft’s November 20, 2025, backend mitigation for CVE-2025-49752 and review any associated guidance from Microsoft.
Restrict Bastion access using Network Security Groups, private endpoints, or VPN-only paths to reduce unnecessary exposure.
Temporarily disable public exposure of Bastion where feasible until validation is complete.
Review recent Bastion session activity and revoke any suspicious tokens or active sessions.
Security Hardening:
Enable enhanced logging for Azure Bastion session telemetry, Azure Activity Logs, and Azure AD sign-in logs.
Enforce strict segmentation to isolate Bastion from untrusted networks.
Conduct a historical review for token reuse, anomalous sign-in patterns, and suspicious Bastion activity.
Treat unpatched or internet-exposed Bastion resources as potentially compromised and initiate forensic review if anomalies are detected.
Conclusion
CVE-2025-49752 poses a critical authentication bypass risk in Azure Bastion, allowing potential unauthorized administrative access to downstream Azure VMs. While no exploitation has been confirmed to date, the remote, zero-interaction nature of the vulnerability significantly elevates operational risk. We urge organizations that rely on Bastion for secure remote administration to immediately confirm patch compliance, minimize public exposure, and conduct targeted reviews of recent authentication activity. Continued monitoring of Microsoft advisories and cloud access telemetry remains essential as adversaries increasingly target remote administration and cloud identity pathways.