Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
The flaw consists of improper access control (CWE-284) in the Azure Resource Manager service. An authenticated attacker with a basic level of permissions can, by sending appropriately crafted network requests, bypass authorization mechanisms and obtain privileges exceeding the granted scope. The network vector and lack of user interaction requirement mean that the attack can be conducted remotely and without victim participation.
An attacker can obtain elevated privileges in the Azure environment, potentially allowing full takeover of cloud resources, data read and modification, and disruption of services within the affected subscription or tenant.
Apply patches available from the vendor according to the following references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24304. For services managed by Microsoft, updates may be deployed automatically on the platform side — it is recommended to verify the status in Microsoft Security Response Center.
Microsoft Azure Resource Manager — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Resource Manager
APPMicrosoftwszystkie wersje
Related vulnerabilities
Obejście uwierzytelniania w Azure Resource Manager umożliwia eskalację uprawnień
Pominięcie uwierzytelnienia w Azure Local Disconnected Operations — eskalacja uprawnień
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE w Windows Server Update Service (WSUS) — deserializacja danych