Varonis Threat Labs found an Azure Cosmos for PostgreSQL flaw that let attackers bypass server-side validation and inject arbitrary PostgreSQL configuration values through the Azure management API, leading to remote code execution. Microsoft confirmed the issue as an important RCE and released a fix in summer 2025, with the report emphasizing least privilege and stronger identity and database controls. #AzureCosmosforPostgreSQL #Microsoft #VaronisThreatLabs
Keypoints
- Varonis Threat Labs discovered a vulnerability in Azure Cosmos for PostgreSQL that could result in remote code execution.
- The flaw came from improperly validated server configuration values exposed through the Azure management API.
- Attackers with sufficient management privileges could edit arbitrary PostgreSQL parameters, including sensitive server functions.
- The researchers bypassed validation by using control characters such as form feed and a double newline to inject a new configuration entry.
- The exploit path showed that the
archive_commandparameter could be abused to run arbitrary operating system commands on the database server. - Microsoft confirmed the issue and released a fix in the summer of 2025; no further customer action was required for Azure Cosmos DB for PostgreSQL.
- The article stresses least privilege, auditing, private endpoints, and phishing-resistant MFA to reduce risk in Azure-managed environments.
MITRE Techniques
- [T1202 ] Indirect Command Execution – The attacker could abuse the PostgreSQL
archive_commandsetting to run commands on the underlying operating system (‘execute code with the archive_command parameter, whose value is a command periodically run to archive WAL logs’). - [T1068 ] Exploitation for Privilege Escalation – The flaw allowed a management-privileged actor to gain unrestricted access and potentially escalate within the tenant or across tenants (‘could gain unrestricted data access to the cluster, and compromise cloud-managed infrastructure’).
- [T1565.001 ] Data Manipulation: Stored Data Manipulation – The attacker could modify PostgreSQL configuration data through the management API to inject new parameters (‘it was possible to edit arbitrary PostgreSQL configurations through the Azure management API’).
- [T1548 ] Abuse Elevation Control Mechanism – The issue bypassed server-side validation controls by using a form feed and newline trick to insert forbidden characters (‘putting a form feed (f) in front of the single quotation mark allowed us to bypass the validation’).
Indicators of Compromise
- [File/Configuration Parameter ] abused for code execution and config injection – archive_command, log_line_prefix
- [Validation Bypass Payload Elements ] used to bypass server-side checks – form feed (f), double newline
- [Arbitrary Test Parameter ] proof-of-concept injected config entry – hello
Read more: https://www.varonis.com/blog/rce-on-azure-cosmos-for-postgresql