Azure SRE Agent Flaw Lets Outsiders Silently Eavesdrop on Enterprise Cloud Operations

The Azure SRE Agent, Microsoft’s AI‑powered site‑reliability engineering assistant, reached general availability in March 2024, promising automated incident triage and deployment tasks. By streaming all interactions through a SignalR WebSocket endpoint, the service centralizes logs, code snippets, and credential material, making it a high‑value target for threat actors. When the underlying Entra ID app registration was configured as multi‑tenant, the token validation logic ignored the caller’s tenant, effectively turning the hub into an open broadcast channel.

Security researchers at Enclave AI uncovered that the hub accepted any valid token from any Azure AD tenant and then relayed every event to all connected clients. The flaw, scored 8.6 on the CVSS scale, exposed user prompts, internal reasoning traces, command arguments, and even deployment credentials in real time. Exploitation required only a predictable subdomain and a short Python script, leaving victims with no logs or alerts of the eavesdropping session.

Microsoft’s rapid server‑side remediation eliminated the authentication gap, but the episode underscores a broader challenge: AI‑driven operations tools must be treated as privileged automation platforms. Enterprises should enforce strict tenant isolation, bind agents to dedicated managed identities with least‑privilege permissions, and integrate comprehensive telemetry into SIEMs. As cloud providers embed more AI agents into critical workflows, robust authorization checks and auditability will be essential to prevent silent data leakage and preserve trust in automated infrastructure management.