Improper authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.
The error results from improper implementation of authorization mechanisms (CWE-285, CWE-863) in the Azure Automation service. An attacker with basic network access to the environment can exploit this vulnerability without requiring user interaction. This makes it possible to obtain permissions exceeding those the attacker is entitled to, and the attack effect may extend beyond the scope of the directly attacked resource (scope S:C in the CVSS vector).
An attacker can obtain unauthorized, elevated privilege levels in the Azure environment, which may lead to taking control of automation resources, disclosure of sensitive data, or integrity violation of systems managed by Azure Automation.
Patches available from the manufacturer should be applied according to references — details available in Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29827
Microsoft Azure Automation — versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LMicrosoft Azure Automation
APPMicrosoftwszystkie wersje
Related vulnerabilities
Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
An information disclosure vulnerability manifests when a user or an application uploads unprotected private ke...
An elevation of privilege vulnerability exists in Azure Automation "RunAs account" runbooks for users with con...
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server