Program

/

CODE BLUE 2025

Time Table

Cloud-Wide Contamination: Chaining SSRFs for Tenant Compromise in Azure (CVE-2025-29972)

DAY 2

10:40-11:20

Cloud platforms rely on deep trust between internal components—but what if that trust is broken? This talk presents the discovery and exploitation of CVE-2025-29972, a critical 9.9 CVSS flaw in Azure’s Storage Resource Provider. We reveal a multi-stage attack chain starting from a classic SSRF, used to hijack the identity metadata fetching process and leak Azure Active Directory (AAD) tokens for arbitrary tenants.

Our research introduces “Spray&Pray4Bind,” a novel DNS rebinding technique built to bypass modern caching defenses that render traditional rebinding ineffective. We walk through the full exploit: from SSRF to token abuse, lateral movement, and ultimately regenerating SFTP passwords—compromising tenant storage. Based on internal offensive research at Microsoft, this talk shows how broken trust in cloud services can lead to full compromise—and provides defensive insights for securing complex cloud environments.

  • Location :

    • Track 1(HALL B)

  • Category :

    • Technical

  • Share :

Speakers

  • ウラジミール・トカレフ の写真

    Vladimir Tokarev

    ウラジミール・トカレフ

    Vladimir Tokarev is a Senior Vulnerability Researcher at Cyera with over 11 years of experience in the cybersecurity field. He specializes in vulnerability research across Windows, Linux, IoT, OT, and cloud environments. Vladimir has presented his research at leading industry conferences, including Black Hat USA 2023, Black Hat USA 2024, RSA Conference 2023, and most recently at DEF CON Recon Village 2025.
    X(twitter): @G1ND1L4