A critical vulnerability in Microsoft Azure’s API Connection infrastructure enabled attackers to compromise resources across different Azure tenants worldwide.
The flaw, which earned Gulbrandsrud a $40,000 bounty and a Black Hat presentation slot, exploited Azure’s shared API Management (APIM) instance architecture to gain unauthorized access to Key Vaults, Azure SQL databases, and third-party services like Jira and Salesforce across tenant boundaries.
The vulnerability centered on Azure’s globally shared APIM instance, where all API Connections are deployed, creating an attack surface that transcended tenant isolation.
Key Takeaways
1. Azure's DynamicInvoke endpoint allowed attackers to access other tenants' API Connections.
2. Exploited connections could compromise Key Vaults, databases, and third-party services across Azure tenants.
3. Microsoft patched quickly and paid $40,000 for breaking Azure's tenant isolation model.
By manipulating the undocumented DynamicInvoke endpoint, attackers could traverse connection boundaries and access any API Connection deployed on the shared infrastructure with full backend privileges.
Azure’s Default API Connection Vulnerability
The core of the vulnerability lay in Azure Resource Manager’s (ARM) handling of the DynamicInvoke endpoint, which processes API Connection requests with super-privileged tokens.
When ARM receives a DynamicInvoke request, it constructs URLs using the pattern /apim/[ConnectorType]/[ConnectionId]/[Action-Endpoint] with elevated authentication tokens.
Gulbrandsrud discovered that by creating a custom Logic App connector with a vulnerable path parameter, attackers could inject path traversal sequences.
The researcher demonstrated this by defining a simple endpoint with a {path} parameter, then supplying malicious input like ../../../../[VictimConnectorType]/[VictimConnectionID]/[action].
When ARM processed this request, URL normalization resulted in direct access to victim connections.
The attack was demonstrated against an Azure Key Vault connection:
Mitigation
Microsoft confirmed the vulnerability within three days of the April 7, 2025, disclosure and implemented mitigations within a week.
The initial fix involved implementing a blacklist on path parameters to block ../ sequences and URL-encoded variants.
However, Gulbrandsrud noted this solution may be insufficient, suggesting potential bypasses through alternative path normalization techniques or direct API Connection path manipulation.
The vulnerability required Contributor-level privileges to the attacking tenant’s API Connection, limiting the attack surface to privileged users.
However, the global scope and cross-tenant implications made this a critical security issue affecting Azure’s fundamental tenant isolation model.
Microsoft’s substantial bounty award reflects the severity of compromising the shared infrastructure that supports Azure’s multi-tenant architecture.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
