Azure Site Recovery privilege escalation

Published Tue, Feb 13th, 2024


When the ASR service is enabled, it uses an Automation Account with a System-Assigned Managed Identity to manage Site Recovery extensions on VMs. However, the Runbook (a set of scripts for managing extensions) executed by the Automation Account had its job output visible to users, and this output mistakenly included a cleartext Management-scoped Access Token for the System-Assigned Managed Identity, which possesses the Contributor role over the entire Azure subscription. Therefore, lower-privileged user roles who could access the Automation Account's job output could see and use this Access Token. This access allowed these users to impersonate the Managed Identity, thereby elevating their privileges to that of a Contributor for the whole subscription, including the ability to execute commands on VMs as `NT Authority\\SYSTEM`.

Affected Services

Azure Site Recovery (ASR)


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Tue, Jan 9th, 2024
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Joshua Murrell, NetSPI