Azure Default API Connection Vulnerability Allows Complete Cross-Tenant Compromise

A critical vulnerability in Microsoft Azure’s API Connection infrastructure allowed attackers to compromise resources across various Azure tenants globally. This flaw, which earned researcher Gulbrandsrud a $40,000 bounty and a presentation slot at Black Hat, exploited Azure’s shared API Management (APIM) instance architecture. By doing so, attackers gained unauthorised access to Key Vaults, Azure SQL databases, and third-party services such as Jira and Salesforce, transcending tenant boundaries. The vulnerability was rooted in Azure’s globally shared APIM instance, where all API Connections are deployed, creating an attack surface that undermined tenant isolation. Key takeaways include the fact that Azure’s DynamicInvoke endpoint enabled access to other tenants’ API Connections, and that exploited connections could compromise critical resources across Azure tenants. Microsoft acted swiftly, confirming the vulnerability within three days of its disclosure on April 7, 2025, and implementing mitigations within a week.

The core of the vulnerability lay in Azure Resource Manager’s (ARM) handling of the DynamicInvoke endpoint, which processes API Connection requests with super-privileged tokens. When ARM received a DynamicInvoke request, it constructed URLs using the pattern /apim/[ConnectorType]/[ConnectionId]/[Action-Endpoint] with elevated authentication tokens. Gulbrandsrud discovered that by creating a custom Logic App connector with a vulnerable path parameter, attackers could inject path traversal sequences. This was demonstrated by defining a simple endpoint with a path parameter and supplying malicious input like ../../../../[VictimConnectorType]/[VictimConnectionID]/[action]. When ARM processed this request, URL normalisation resulted in direct access to victim connections, including an Azure Key Vault connection. Microsoft’s initial fix involved implementing a blacklist on path parameters to block ../ sequences and URL-encoded variants. However, Gulbrandsrud noted that this solution might be insufficient, suggesting potential bypasses through alternative path normalisation techniques. Despite requiring Contributor-level privileges to the attacking tenant’s API Connection, the global scope and cross-tenant implications rendered this a critical security issue affecting Azure’s fundamental tenant isolation model. 

Categories: Cloud Security, API Vulnerabilities, Tenant Isolation 

Tags: Azure, Vulnerability, API, Connection, Tenant, Isolation, Key Vault, DynamicInvoke, Exploit, Mitigation