Azure PostgreSQL “ExtraReplica” Vulnerability Gets Patch from Microsoft

A chain of vulnerabilities in Microsoft’s Azure PostgreSQL could allow attacks but has already been patched by the company.

has sent out a patch for a vulnerability in its Azure PostgreSQL service. According to researchers who published an advisory on the “ExtraReplica” flaw, it could allow a threat actor to the bug and execute malicious code to take over a system.

Found by the firm Wiz Research, the ExtraReplica flaw in Azure PostgreSQL is a database vulnerability. In an advisory published this week, the team says the bug could leave to exploit on .

“This vulnerability allows unauthorized read access to other customers' PostgreSQL databases, bypassing tenant isolation. If exploited, a malicious actor could have replicated and gained read access to Azure PostgreSQL Flexible Server customer databases.”

According to the researchers, ExtraReplica is a “chain” of flaws in PostgreSQL that an attacker could exploit to bypass the tenant isolation in Azure. The base of an attack would be exploiting a vulnerability that attackers could exploit and gain access to PostgreSQL databases without needing authorized access.


When the threat actor picks a Flexible Server to attack on PostgreSQL, they will need to find the relevant Azure region for the victim. This can be done by matching the database domain name to the Azure public IP.

The attacker then creates a database in the same region as the target system. One of the allows the attacker to create superuser privileges that allow them to execute code. The next flaw is in the certificate authentication which allows the attack to replicate it to gain wider access.

Microsoft has known about the bug since January and was able to replicate the flaw. Wiz was given a $40,000 bug bounty for finding the vulnerability and Microsoft rolled out a fix back on February 25. Microsoft says there have been no recorded exploits in the wild.

Tip of the day: Do you sometimes face issues with search where it doesn't find files or return results? Check our tutorial to see how to fix Windows search via various methods.