CVE-2019-0962 — Azure Automation Elevation of Privilege Vulnerability

Executive Summary

An elevation of privilege vulnerability exists in Azure Automation “RunAs account” runbooks for users with contributor role. This vulnerability could potentially allow members of an organization to access Key Vault secrets through a runbook, even if these members would personally not have access to that Key Vault. To exploit this vulnerability, an attacker must be a member of an organization who can run runbooks, with only global admins/co-admins who can create the “run as” account. Microsoft is addressing the vulnerability by providing the following scripts for existing RunAsAutomation accounts that modify existing roles by excluding access to KeyVault within Azure Automation account. https://www.powershellgallery.com/packages/Check-AutomationRunAsAccountRoleAssignments https://www.powershellgallery.com/packages/Update-AutomationRunAsAccountRoleAssignments https://www.powershellgallery.com/packages/Extend-AutomationRunAsAccountRoleAssignmentToKeyVault

Overview

Important

MS Severity

Not Exploited

MS Exploit Status

Less Likely

MS Exploit Likelihood

Category Elevation of Privilege

Released Jul 9 2019

Last Updated Jul 9 2019

Publicly Disclosed Yes

CISA KEV Not Listed

Known Exploits None Known

EPSS Score 0.04293 — 0.89849 percentile

EPSS Score

0.04293

probability of exploitation in the next 30 days

0.89849 percentile - updated 2026-06-20

View on FIRST.org

Affected Products

1 affected product

Product	KB Article	Severity	Impact	Restart Required
Azure Automation	`More information (None)`	Important	Elevation of Privilege	Maybe

Patches

1 patch

Article	Type	Restart
`More information`	None	Maybe

Known Exploits

No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.

Acknowledgments

of NetSPI

References

MSRC Advisory MITRE NVD