A critical security vulnerability in Microsoft Azure API Management (APIM) Developer Portal enables attackers to register accounts across different tenant instances, even when administrators have explicitly disabled user signup through the portal interface.
The flaw, which Microsoft has classified as “by design,” remains unpatched as of December 1, 2025, leaving organizations potentially exposed to unauthorized access.
The security issue stems from a fundamental design flaw where disabling signup in the Azure Portal UI only hides the registration form visually, while the underlying /signup API endpoint remains fully active and accessible.
When Basic Authentication is configured for the Developer Portal, the backend API continues to accept registration requests without validating tenant boundaries or verifying that the request originates from an authorized source.
Microsoft Azure API Management Flaw
Attackers exploit this vulnerability by manipulating the Host header in signup requests. The attack requires access to any APIM instance with signup enabled, including one controlled by the attacker, where they can intercept a legitimate signup request, modify the Host header to point to a target organization’s APIM instance, and successfully create an account despite signup being “disabled” on the victim’s portal.
The vulnerability enables several critical security risks, including cross-tenant account creation on any APIM instance with Basic Authentication enabled, complete bypass of administrative access controls, and potential exposure of sensitive API documentation and subscription keys. Organizations that believed they had disabled public registration may unknowingly remain vulnerable to this attack vector.
APIM instances are vulnerable if Basic Authentication is configured (regardless of UI settings), the Developer Portal is deployed and accessible, and the service runs on Developer, Basic, Standard, or Premium tiers. The vulnerability has been assigned a CVSS score of 6.5, classified as medium-high severity under CWE-284 (Improper Access Control).
Finnish security researcher Mihalis Haatainen of Bountyy Oy discovered the vulnerability on September 30, 2025, and immediately reported it to Microsoft Security Response Center (MSRC).
After submitting two detailed reports in September and November, Microsoft closed both cases, stating the behavior was “by design” and did not constitute a security vulnerability. The researcher subsequently reported the issue to CERT-FI before publicly disclosing it on November 26, 2025.
Since Microsoft has not released a patch, organizations must take immediate action to protect their APIM instances. The most critical step is completely removing the Basic Authentication identity provider from the Azure Portal, not merely disabling signup in the UI.
Organizations should navigate to their APIM instance, access Developer Portal settings under Identities, and delete the “Username and password” identity provider entirely.
Additional protective measures include switching exclusively to Azure Active Directory authentication to enforce proper tenant boundaries, auditing all existing Developer Portal user accounts for unauthorized registrations created after signup was supposedly disabled, and implementing continuous monitoring of signup activity and API calls.
Security teams can use the publicly available Python verification script and Nuclei template released by the researcher to identify vulnerable instances within their organizations.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
