Azure Custom Locations contains an SSRF vulnerability that allows an authorized attacker to escalate their privileges, potentially compromising the underlying resource provider.

This is a Server-Side Request Forgery (SSRF) vulnerability that requires the attacker to be authorized (authenticated). An authenticated user can exploit the Resource Provider to make unauthorized requests, leading to privilege escalation within the Azure environment.

While this requires prior authentication, the CVSS score of 9.6 indicates a critical risk. An attacker with low-level access could escalate to administrative levels, gaining control over custom location resources and potentially pivoting to other connected Azure services, resulting in unauthorized data access and infrastructure manipulation.

Immediate Action: Update the Azure Custom Locations Resource Provider to the latest version immediately through the Azure portal or CLI.

Proactive Monitoring: Monitor for anomalous API calls to the Custom Locations Resource Provider and review logs for unexpected internal network traffic originating from the RP.

Compensating Controls: Enforce the principle of least privilege for all users and service principals interacting with Custom Locations to limit the potential scope of an SSRF-based escalation.

Public Exploit Available: No

Organizations utilizing hybrid or custom Azure locations should apply this update immediately. Even though authentication is required, the potential for an insider threat or a compromised low-privilege account to escalate to full control makes this a critical priority for security teams.