Feeding Frenzy: RCE on Azure Cosmos for PostgreSQL
Varonis Threat Labs identified a Remote Code Execution (RCE) vulnerability in Azure Cosmos for PostgreSQL caused by improper input validation of the loglineprefix parameter within the Azure management API. By utilizing form feed and newline characters, attackers could bypass single-quote restrictions to inject arbitrary PostgreSQL configurations, such as archive_command, ultimately leading to arbitrary OS command execution on the underlying managed database node.
Authors: Varonis Threat Labs
Source:
Varonis
- filename/dat/14/data/postgresql.confUnderlying PostgreSQL configuration file targeted for parameter injection (identified via error logs).
Detection / HunterGoogle
What Happened
Security researchers discovered a critical flaw in Microsoft's Azure Cosmos for PostgreSQL service that allowed attackers to run unauthorized commands on the underlying servers. This happened because the system did not properly check the text users entered when changing certain database settings. If exploited, an attacker could potentially access, steal, or destroy sensitive data stored in the cloud. Microsoft has already fixed this issue on their end, so customers do not need to take any action to patch it. However, organizations should ensure their cloud accounts have strict access controls to prevent unauthorized users from changing settings in the first place.
Key Takeaways
- Varonis Threat Labs discovered a Remote Code Execution (RCE) vulnerability in Azure Cosmos for PostgreSQL via the Azure management API.
- The vulnerability was caused by improper validation of the 'log_line_prefix' configuration parameter.
- Attackers bypassed character restrictions by prepending a form feed (\f) character and using double newlines (\n\n) to inject arbitrary PostgreSQL parameters.
- Exploitation allowed arbitrary OS command execution on the underlying database server via the 'archive_command' parameter.
- Microsoft released a fix in the summer of 2025, and no further action is required by customers.
Affected Systems
- Azure Cosmos for PostgreSQL
Attack Chain
An attacker with management privileges to the Azure Cosmos DB cluster modifies the log_line_prefix parameter via the Azure management API. The attacker bypasses single-quote character restrictions by prepending a form feed (\f) character. Using double newlines (\n\n), the attacker injects a new configuration parameter, specifically archive_command, into the postgresql.conf file. When the server reloads the configuration, the injected archive_command executes arbitrary operating system commands on the underlying database node.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but recommends monitoring PostgreSQL and Azure-native audit logs for unexpected configuration changes.
Detection Engineering Assessment
EDR Visibility: None — Azure Cosmos for PostgreSQL is a managed PaaS offering; customers cannot install EDR agents on the underlying database nodes. Network Visibility: Low — Exploitation occurs over encrypted Azure management API channels, making network-level payload inspection difficult without API telemetry. Detection Difficulty: Moderate — Requires monitoring Azure management API logs for configuration changes to PostgreSQL parameters, specifically looking for anomalous characters like form feeds or newlines in parameter values.
Required Log Sources
- Azure Activity Logs
- PostgreSQL Audit Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Threat actors may attempt to inject malicious configurations by passing newline or form feed characters into Azure Cosmos DB parameter updates. | Azure Activity Logs | Execution | Low |
| Unexpected changes to the archive_command parameter in PostgreSQL may indicate an attempt to execute arbitrary OS commands. | PostgreSQL Audit Logs | Execution | Medium |
Control Gaps
- Lack of strict input validation on the Azure management API for PostgreSQL parameters
- Inability to deploy traditional endpoint security on managed PaaS database nodes
Key Behavioral Indicators
- Presence of '\f' or '\n' characters in the log_line_prefix parameter value
- Modifications to the archive_command parameter via Azure management API
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Audit Entra ID roles and ensure least privilege for users with access to compute, data, and management-plane operations.
Infrastructure Hardening
- Place managed databases behind private endpoints and restrict access to approved VNets.
- Use federated authentication (Entra ID) instead of local database credentials.
User Protection
- Require phishing-resistant MFA and Conditional Access for all critical infrastructure access.
Security Awareness
- Review and restrict permissions for external/guest users and malicious or over-permissioned applications.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1562.001 - Impair Defenses: Disable or Modify Tools
Additional IOCs
- File Paths:
/dat/14/data/postgresql.conf- Underlying PostgreSQL configuration file targeted for parameter injection (identified via error logs).
- Command Lines:
- Purpose: Execute arbitrary OS commands via PostgreSQL configuration | Tools:
PostgreSQL| Stage: Execution |archive_command=
- Purpose: Execute arbitrary OS commands via PostgreSQL configuration | Tools:
- Other:
\f'\n\nhello='world- Proof-of-concept payload used to test arbitrary parameter injection.