Microsoft patches critical authentication bypass flaw in Azure Bastion service
Take action: You don't have to do anything about this flaw, Microsoft says it is already patched automatically. But make note of the flaw for vendor evaluation and review your Bastion access logs for any suspicious authentication attempts.
Learn More
Microsoft has patched a critical security vulnerability in Azure Bastion, its managed service for secure remote access to Azure virtual machines. The flaw could have allowed remote attackers to gain administrative privileges on all virtual machines accessible through the Bastion service.
Azure Bastion is a managed platform-as-a-service that enables organizations to connect to virtual machines using Remote Desktop Protocol (RDP) or Secure Shell (SSH) without exposing the VMs directly to the internet.
The flaw is tracked CVE-2025-49752 (CVSS score 10.0) is an authentication bypass through capture-replay attacks. Microsoft has not disclosed any technical details about the vulnerability. The company claims that the vulnerability has already been fully mitigated through backend updates to the Azure Bastion service, requiring no action from customers.
The purpose of disclosing this CVE is to provide transparency to the security community and Azure customers about potential risks that have been patched.
