services / Azure / VPN link connection shared key

The IPsec pre-shared key (shared secret) authenticating a site-to-site VPN link connection on an Azure VPN Gateway, securing the tunnel to a connected on-premises or partner network.

Credential material that authenticates a tunnel bridging into internal/peer networks.


Microsoft.​Network/​vpnGateways/​vpnConnections/​vpnLinkConnections/​sharedKeys/​read

This get returns the IPsec pre-shared key, exporting credential material an attacker can use to establish or impersonate the site-to-site tunnel and reach the connected network.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​network
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog