curl command to 169.254.169.254 can grant an attacker full access to Key Vaults, Storage, and Domain Controllers depending on assigned RBAC roles.The Core Vulnerability
The IMDS endpoint handles token requests at the hypervisor level. Because it requires no authentication and bypasses standard Conditional Access, it acts as a high-impact offensive primitive.
Control Plane vs. Data Plane
| Plane | Token Audience | Impact of Compromise |
|---|---|---|
| Control Plane | management.azure.com | Infrastructure mapping, resource deletion, setting modifications. |
| Data Plane | vault.azure.net / storage.azure.com | Secret extraction, PII data theft, offline Active Directory analysis. |
Security Myths
- vTPM: Does NOT prevent user-mode IMDS token acquisition.
- Confidential VMs: Does NOT change the IMDS API access for an attacker with guest code execution.
- Global Reader: Does NOT grant Graph API access for Managed Identities without explicit appRoleAssignments.
About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.