{"id":7881,"date":"2026-04-21T12:35:31","date_gmt":"2026-04-21T12:35:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7881"},"modified":"2026-04-21T12:35:31","modified_gmt":"2026-04-21T12:35:31","slug":"azure-sre-agent-flaw-lets-outsiders-silently-eavesdrop-on-enterprise-cloud-operations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7881","title":{"rendered":"Azure SRE Agent flaw lets outsiders silently eavesdrop on enterprise cloud operations"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A high-severity authentication flaw in Microsoft\u2019s Azure SRE Agent exposed sensitive agent data to unauthorized network access, according to a confirmed vulnerability disclosure.<\/p>\n

The issue was identified by Enclave AI researcher Yanir Tsarimi, who detailed the findings in a blog post<\/a> describing how agent interactions could be accessed without proper authentication controls. The vulnerability has been tracked as CVE-2026-32173<\/a> and rated critical with a CVSS score of 8.6.<\/p>\n

In the blog, Tsarimi described scenarios where agent activity could be observed during execution, including interactions between users and the system. The exposure stemmed from an authentication gap in the service, allowing access to data streams without valid credentials.<\/p>\n

Microsoft classified it as an improper authentication issue that allows an unauthorized attacker to disclose information over a network, the NVD entry said.<\/p>\n

\u201cImagine you hired an assistant who has access to everything: your servers, your logs, your passwords, your source code. Now imagine a total stranger, from a completely unrelated company, could silently listen to every conversation that assistant has,\u201d Enclave researcher Yanir Tsarimi wrote. \u201cThat\u2019s what we found in Azure SRE Agent.\u201d<\/p>\n

Microsoft has since fixed the issue, the blog added. The fix was applied server-side, and Microsoft\u2019s advisory states that no customer action is required. Azure SRE Agent reached general availability<\/a> on March 10.<\/p>\n

Multi-tenant by default<\/h2>\n

The agent streams all activity through a WebSocket endpoint called \/agentHub, the blog said.<\/p>\n

The endpoint required a token to connect, but the underlying Entra ID app registration was configured as multi-tenant, meaning any account from any Entra ID tenant could obtain a valid token that the hub would accept.<\/p>\n

\u201cThe hub then checked: Is the token valid? Yes. Is the audience correct? Yes. It never asked: Does this caller belong to the target\u2019s tenant? Are they authorized to use this agent? Do they have any role on this resource?\u201d Tsarimi wrote.<\/p>\n

Once connected, the hub broadcasts all events to all clients with no identity filtering, the blog said.<\/p>\n

The exposed channel included user prompts, agent responses, internal reasoning traces, every command executed with full arguments, and the command output.<\/p>\n

\u201cIn our own test environment, we watched the agent run a routine task and return deployment credentials for live web applications,\u201d Tsarimi wrote. \u201cAn eavesdropper on a real target would have received the same. Silently. With nothing to indicate anyone else was on the line.\u201d<\/p>\n

Exploitation required only the target agent\u2019s subdomain, which Enclave described as predictable and enumerable, and roughly 15 lines of Python. Third-party trackers identified the affected component as the Azure SRE Agent Gateway SignalR Hub<\/a>.<\/p>\n

Watching a privileged operator think out loud<\/h2>\n

The category of flaw should not be compared too closely to a conventional API bug, said Alexander Hagenah, cybersecurity researcher and executive director at Zurich-based financial infrastructure operator SIX Group.<\/p>\n

\u201cA normal API issue is usually bound by a specific endpoint, dataset, or permission check. With an AI operations agent, the agent itself becomes the aggregation point for infrastructure state, logs, source code, incident context, commands, outputs, and sometimes credentials that appear during troubleshooting,\u201d Hagenah said.<\/p>\n

\u201cIn practical terms, it can look like watching a privileged operator think out loud,\u201d he added.<\/p>\n

The exposure does not amount to automatic infrastructure compromise, Hagenah said, but it can be more valuable than many read-only bugs. Attackers typically have to work hard after initial access to understand an environment. An SRE agent may already have that context assembled for them.<\/p>\n

The connection also left no trace on the victim\u2019s side, the researcher wrote. \u201cVictim organizations had no way to detect it, no way to investigate after the fact, and no way to scope what had been exposed.\u201d<\/p>\n

Considerations for enterprises<\/h2>\n

Enclave, as per the blog post, noted that organizations that ran Azure SRE Agent during the preview window must treat the period as potentially exposed and review any credentials, configuration data, or sensitive information that may have passed through agent conversations or CLI outputs.<\/p>\n

Hagenah said agentic operations services need to be governed more like privileged automation platforms than ordinary SaaS tools.<\/p>\n

\u201cBefore granting that level of access, I would want very clear answers on tenant isolation and resource-level authorization. It should not be enough that a token is valid. The service has to verify that the caller belongs to the right tenant, is authorized for that specific agent, and is allowed to access that specific stream, thread, tool output, or action,\u201d he said.<\/p>\n

The agent should run under a dedicated managed identity with minimal permissions, and integrations with command execution, log query, source repositories, and incident platforms should be reviewed like any other privileged system, Hagenah said. Enterprises also need to know who connected, what threads they accessed, what commands ran, and what output was returned, with logs exportable to the SIEM. Microsoft did not immediately respond to a request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A high-severity authentication flaw in Microsoft\u2019s Azure SRE Agent exposed sensitive agent data to unauthorized network access, according to a confirmed vulnerability disclosure. The issue was identified by Enclave AI researcher Yanir Tsarimi, who detailed the findings in a blog post describing how agent interactions could be accessed without proper authentication controls. The vulnerability has […]<\/p>\n","protected":false},"author":0,"featured_media":7882,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7881"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7881"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7881\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7882"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}