A significant security flaw has been identified in Microsoft Azure’s API Connection infrastructure, allowing attackers to breach resources across different Azure tenants globally. This vulnerability, discovered by security researcher Gulbrandsrud, exploited Azure’s shared API Management (APIM) instance architecture, granting unauthorized access to sensitive resources such as Key Vaults, Azure SQL databases, and third-party services like Jira and Salesforce across tenant boundaries.
Understanding the Vulnerability
The core issue resided in Azure’s globally shared APIM instance, where all API Connections are deployed. This shared infrastructure created an attack surface that transcended tenant isolation, a fundamental security model in cloud services. By manipulating the undocumented DynamicInvoke endpoint, attackers could traverse connection boundaries and access any API Connection deployed on the shared infrastructure with full backend privileges.
Technical Exploitation
The vulnerability was rooted in Azure Resource Manager’s (ARM) handling of the DynamicInvoke endpoint, which processes API Connection requests with elevated authentication tokens. When ARM receives a DynamicInvoke request, it constructs URLs using the pattern `/apim/[ConnectorType]/[ConnectionId]/[Action-Endpoint]` with these privileged tokens.
Gulbrandsrud discovered that by creating a custom Logic App connector with a vulnerable path parameter, attackers could inject path traversal sequences. For instance, by defining an endpoint with a `{path}` parameter and supplying malicious input like `../../../../[VictimConnectorType]/[VictimConnectionID]/[action]`, the URL normalization process would result in direct access to victim connections.
This method was demonstrated against an Azure Key Vault connection, showcasing the potential for unauthorized access to sensitive data.
Mitigation Efforts
Microsoft confirmed the vulnerability within three days of its disclosure on April 7, 2025, and implemented mitigations within a week. The initial fix involved implementing a blacklist on path parameters to block `../` sequences and their URL-encoded variants.
However, Gulbrandsrud noted that this solution might be insufficient, suggesting potential bypasses through alternative path normalization techniques or direct API Connection path manipulation.
Implications and Recommendations
The vulnerability required Contributor-level privileges to the attacking tenant’s API Connection, limiting the attack surface to privileged users. However, the global scope and cross-tenant implications made this a critical security issue affecting Azure’s fundamental tenant isolation model.
Microsoft’s substantial bounty award of $40,000 reflects the severity of compromising the shared infrastructure that supports Azure’s multi-tenant architecture.
Organizations utilizing Azure services should review their API Connection configurations and implement additional security measures to prevent potential exploitation. Regular audits, strict access controls, and continuous monitoring are essential to maintain a secure cloud environment.
