CVE-2022-35772 in Azure Site Recovery VMWare to Azure
Summary
by MITRE • 08/10/2022
Azure Site Recovery Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-35824.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/29/2025
The Azure Site Recovery service represents a critical component in Microsoft's cloud disaster recovery infrastructure, providing automated backup and recovery capabilities for virtual machines across on-premises and cloud environments. This vulnerability specifically affects the Azure Site Recovery service's handling of incoming requests within its replication and failover mechanisms, creating a remote code execution vector that could be exploited by unauthorized threat actors. The flaw exists in the service's authentication and validation processes, where insufficient input sanitization allows malicious actors to craft specially crafted requests that bypass security controls and execute arbitrary code on affected systems.
The technical implementation of this vulnerability stems from improper validation of user-supplied data within the Azure Site Recovery service's API endpoints. When processing replication commands or failover requests, the system fails to adequately sanitize input parameters, particularly those related to configuration data and metadata fields. This weakness aligns with CWE-20, which addresses improper input validation, and creates a pathway for attackers to inject malicious payloads that can be executed within the context of the Site Recovery service. The vulnerability is particularly concerning because it operates at the service level rather than the application level, meaning successful exploitation could provide attackers with elevated privileges and access to underlying infrastructure components.
The operational impact of this vulnerability extends beyond simple remote code execution, as it could enable attackers to compromise entire disaster recovery workflows and potentially gain access to sensitive data stored in replicated virtual machines. Threat actors could leverage this vulnerability to disrupt business continuity processes, escalate privileges within the Azure environment, or use the compromised service as a foothold for further lateral movement. The attack surface is particularly broad given that Azure Site Recovery is commonly deployed across enterprise environments for critical data protection, making the potential impact substantial for organizations relying on this service for their disaster recovery strategies. This vulnerability directly maps to several ATT&CK techniques including T1059 for command and script injection and T1078 for valid accounts, as attackers would need to establish legitimate access points before exploiting the service.
Mitigation strategies for this vulnerability require immediate patching of affected Azure Site Recovery service components and implementation of network-level controls to restrict access to the service endpoints. Organizations should deploy network segmentation to limit exposure of the Site Recovery service to trusted networks and implement strict access controls using Azure role-based access control mechanisms. Additionally, monitoring should be enhanced to detect anomalous API requests that might indicate exploitation attempts, particularly around replication and failover operations. The recommended approach includes enabling Azure Security Center monitoring, implementing Azure Network Watcher for traffic analysis, and establishing incident response procedures specifically for recovery service vulnerabilities. Organizations should also conduct comprehensive assessments of their disaster recovery configurations to identify any additional attack vectors that might exist in their broader Azure environments, as this vulnerability could potentially be leveraged as part of a larger attack campaign targeting cloud infrastructure.