Microsoft patched a severe flaw in Azure Bastion on November 20, 2025, tracked as CVE-2025-49752, that allows attackers to bypass authentication checks and gain admin rights on virtual machines.
This vulnerability carries a top CVSS v4.0 score of 10.0 due to its network-based attack vector, low complexity, and lack of user input or privilege requirements.
Enterprises using Azure Bastion for secure RDP and SSH access to VMs face high risks until they apply the fix.
Azure Bastion acts as a secure gateway, allowing admins to connect to VMs in Azure Virtual Networks over TLS without exposing public IPs on the machines.
Attackers exploit this issue remotely by capturing and replaying valid authentication tokens, which is classified under CWE-294 as authentication bypass via capture-replay.
Once inside, they escalate to complete administrative control, enabling data theft, VM configuration changes, or lateral movement across cloud resources.
No publicly available proof-of-concept code exists, and no wild exploits have been confirmed. However, the ease of remote access makes quick patching essential.
Technical Breakdown
The flaw affects Azure Bastion’s login process, where poor token handling allows replayed credentials to bypass checks. Key metrics show its danger:
| 10.0 (Critical) | Maximum severity |
| Network | Remote over internet |
| None | No auth needed |
| None | Fully automated |
| Changed | Impacts connected VMs |
This matches patterns seen in recent Azure bugs, such as CVE-2025-54914 in networking. Microsoft released the update via standard channels, urging immediate deployment.
Mitigation Steps
All Azure Bastion setups before the November 20 patch are vulnerable, with no version-specific limits noted.
Admins should check the Azure portal for updates, review access logs for odd logins, and enforce MFA plus network controls.
Microsoft’s Secure Future Initiative aims to cut such flaws, but repeated auth issues signal ongoing challenges. Organizations must audit Bastion hosts now to block potential takeovers.
