VDB
GCVE-110-CLOUD-2024-0050
GCVE-110-CLOUD-2024-0050
Advisory Published
When the ASR service is enabled, it uses an Automation Account with a System-Assigned Managed Identity
to manage Site Recovery extensions on VMs. However, the Runbook (a set of scripts for managing extensions)
executed by the Automation Account had its job output visible to users, and this output mistakenly included
a cleartext Management-scoped Access Token for the System-Assigned Managed Identity, which possesses the
Contributor role over the entire Azure subscription. Therefore, lower-privileged user roles who could access
the Automation Account's job output could see and use this Access Token. This access allowed these users to
impersonate the Managed Identity, thereby elevating their privileges to that of a Contributor for the whole
subscription, including the ability to execute commands on VMs as `NT Authority\\SYSTEM`.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Azure | Azure Site Recovery (ASR) | — | — |
| Azure | Cloud Services | — | — |
| Azure | Managed Identity | — | — |
Browse GCVE Records
71,925 records in the GCVE database · Updated July 13, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.