Permission Impossible: Hidden Dangers of Azure RBAC and API Vulnerabilities

No ratings

Presented at fwd:cloudsec Europe 2025 by

Ariel Simon

Azure’s Role-Based Access Control (RBAC) model simplifies identity and permissions management by offering predefined, built-in roles. However, even seemingly trusted built-in roles can introduce unexpected risks. In this talk, we’ll examine multiple over-privileged Azure built-in roles that grant excessive permissions beyond their intended scope, which enable attackers to enumerate assets, map attack paths, leak exposed secrets, and access critical configurations. Additionally, we’ll discuss a newly discovered Azure API vulnerability that allows attackers to leak the key for the Azure VPN service. We’ll dive into blackbox vulnerability research in Azure, and demonstrate how combining these issues can lead to cloud infrastructure breaches and unauthorized access to on-premise networks via the corporate VPN, posing serious consequences for organizations. The session concludes with actionable strategies to fortify identity security, ensuring that security teams maintain robust control over their cloud assets by mitigating the often-overlooked risks, and stay ahead of the next major identity-driven attack.