Key points
- Fluent Bit, a widely used log-processing tool, has been found vulnerable to authentication bypass, file-write, and agent takeover attacks that could compromise cloud infrastructure, including Microsoft Azure.
- The tool’s vulnerabilities could allow attackers to rewrite or delete logs, inject false telemetry, or execute arbitrary code, posing a significant threat to the stability of the cloud ecosystem and Microsoft’s cloud services.
- The Fluent Bit project has released patched versions v4.1.1 and v4.0.12 to address the vulnerabilities, which are crucial for Microsoft Azure users and Windows Server administrators to ensure the security of their systems.
According to sources, Fluent Bit, a popular log-processing tool used in containers, Kubernetes DaemonSets, and major cloud platforms like Microsoft Azure, has been found to have several critical vulnerabilities. These vulnerabilities could allow attackers to bypass authentication, write files, and even take over the agent, compromising the security of cloud infrastructure and Microsoft’s cloud services. Uri Katz, a researcher at Oligo Security’s CTO Office, said that Fluent Bit is used by many major companies, including banks, car manufacturers, and cloud providers like AWS, Google Cloud, and Microsoft Azure.
The vulnerabilities found in Fluent Bit could have severe consequences, including allowing attackers to rewrite or delete logs, inject false telemetry, or execute arbitrary code. This could enable attackers to cover their tracks, hide alerts, or even hijack the telemetry stream entirely. The most concerning issue is the Fluent Bit forward input plugin "in_forward", which can be configured to appear protected but is actually wide open, allowing attackers to connect and send arbitrary logs. This issue is now tracked as CVE-2025-12969 and awaits a severity valuation, which is crucial for Windows Server administrators to understand the severity of the vulnerability.
Another significant issue is the "tag" mechanism, which determines how records are routed and processed. Two bugs, CVE-2025-12978 and CVE-2025-12977, allow attackers to impersonate trusted tags and reroute logs or bypass filters. These vulnerabilities could enable attackers to corrupt downstream parsing, enable file-system writes, or allow further escalation, which could compromise the security of Microsoft Azure and Windows Server.
Oligo Security also disclosed a chain of remote code execution (RCE) and path traversal vulnerabilities affecting the tool. CVE-2025-12972 targets the "out_file" output plugin, allowing attackers to abuse the Tag value to cause path-traversal file writes or overwrites, ultimately letting them plant malicious files or gain RCE. This vulnerability is particularly concerning for Microsoft Azure users, as it could allow attackers to gain unauthorized access to their systems.
In addition, CVE-2025-12970 shows a stack buffer overflow in the Docker input plugin (in-Docker). If an attacker names a container with an excessively long name, the buffer overflow lets them crash the agent or execute code, allowing them to seize the logging agent, hide their activity, plant backdoors, and pivot further into the system, which could compromise the security of Windows Server and Microsoft Azure.
The Fluent Bit project has released patched versions v4.1.1 and v4.0.12 to address these vulnerabilities, which is a crucial step in ensuring the security of Microsoft Azure and Windows Server. AWS has also secured all of its internal systems that rely on Fluentbit through the Fluentbit project and released Fluentbit version 4.1.1. Microsoft Azure users and Windows Server administrators should take immediate action to update their systems to prevent potential attacks and ensure the security of their cloud infrastructure.
Read the rest: Source Link
Don’t forget to check our list of Cheap Windows VPS Hosting providers, How to get Windows Server 2022, Try Windows 11 Pro for Workstations & browse Windows Azure content.
Remember to like our facebook and follow us on twitter @WindowsMode.