Azure, Microsoft’s flagship cloud platform, faces new scrutiny after security researchers from Token Security uncovered critical misconfigurations in multiple built-in Azure roles, combined with a previously unreported API vulnerability that exposed VPN keys.
The findings reveal a high-risk attack chain enabling weak users to breach both cloud and on-premises networks.
Over-Permissioned Roles: More Power Than Intended
Azure’s Role-Based Access Control (RBAC) system is designed to streamline permissions management by assigning roles to users and services. These roles are assumed to adhere strictly to the principle of “least privilege.”
However, Token Security identified at least ten built-in roles, including Log Analysis Reader, Managed Applications Reader, Monitoring Contributor, and others, that mistakenly include wildcard read permissions (*/read), granting visibility across all resources within a scope.
For instance, the “Managed Applications Reader” role is described as providing access to managed apps and Just-In-Time (JIT) requests. In practice, it also grants broad read permissions typically reserved for generic roles like “Reader.”
This misalignment enables unintended access to sensitive metadata, environment variables, and configuration details, potentially leading to credential theft or reconnaissance attacks.
VPN Key Leakage: A Critical API Oversight
Further compounding the issue, researchers discovered an Azure API endpoint that, due to permission enforcement based solely on HTTP methods, allowed users with only read privileges to retrieve VPN pre-shared keys (PSKs).
The root cause: while secret-fetching APIs usually require POST requests (which “Reader” users can’t execute), the VPN key API was mistakenly implemented using GET, which these roles can access.
This oversight enabled attackers to programmatically extract VPN keys for Azure’s Site-to-Site (S2S) VPN Gateways.
Armed with these credentials, adversaries could establish rogue VPN connections, gaining unauthorized access to internal cloud networks and even connecting to on-premises infrastructures.
The seriousness of this vulnerability lies in its potential to bridge cloud and on-premises boundaries, creating an avenue for whole lateral movement across hybrid environments.
Microsoft’s Response and Security Recommendations
Microsoft categorized the over-permissioned role issue as “low severity” and opted to update documentation rather than the permissions logic.
However, the VPN key leak was acknowledged as an “Important” vulnerability, and was quickly patched so that only users with explicit.
Microsoft.Network/connections/sharedKey/action Permissions can access VPN PSKs.
Mitigation strategies include auditing existing role assignments, minimizing permission scopes, and replacing affected built-in roles with custom, least-privilege alternatives.
Organizations should avoid blanket role assignments and prioritize granular, service-specific access. These findings highlight the complexity and potential pitfalls of cloud identity management.
Security teams are advised to carefully review their Azure permissions, remain vigilant for privilege creep, and maintain a proactive stance toward emerging threats in cloud platforms.
