Azure CycleCloud Remote Code Execution Vulnerability
The vulnerability results from improper authorization (CWE-285), meaning the access control mechanism does not properly verify the requesting user's permissions. An attacker possessing an account with low privilege level can send a specially crafted network request without requiring any interaction from the victim. Successful exploitation of the vulnerability leads to arbitrary code execution in the context of the Azure CycleCloud server.
An attacker can gain full control over the Azure CycleCloud instance, obtaining the ability to read and modify data as well as disrupt the operation of managed compute clusters. The scope of impact extends beyond the directly vulnerable component (S:C), creating a risk of lateral movement within the cloud infrastructure.
Security patches available from the vendor should be applied in accordance with references published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43602. Immediate implementation of updates is recommended, as well as restricting access to the Azure CycleCloud management interface exclusively to trusted IP addresses.
Microsoft Azure CycleCloud — versions specified in vendor references (Microsoft Security Response Center).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Cyclecloud
APPMicrosoft8.0.0 – 8.6.5 (bez)
Related vulnerabilities
Azure CycleCloud Remote Code Execution Vulnerability
Azure CycleCloud Remote Code Execution Vulnerability
Azure CycleCloud Elevation of Privilege Vulnerability
Azure CycleCloud Elevation of Privilege Vulnerability
Azure CycleCloud Elevation of Privilege Vulnerability