Critical Flaw in Microsoft Azure API Management Allows Unauthorized Cross-Tenant Account Creation
A significant security vulnerability has been identified in Microsoft Azure’s API Management (APIM) Developer Portal, enabling attackers to create accounts across different tenant instances, even when administrators have explicitly disabled user sign-ups through the portal interface. As of December 1, 2025, this flaw remains unpatched, leaving organizations potentially exposed to unauthorized access.
Understanding the Vulnerability
The core issue lies in a design flaw where disabling the sign-up option in the Azure Portal’s user interface merely hides the registration form visually. However, the underlying `/signup` API endpoint remains active and accessible. When Basic Authentication is configured for the Developer Portal, the backend API continues to accept registration requests without validating tenant boundaries or verifying the legitimacy of the request’s origin.
Exploitation Methodology
Attackers can exploit this vulnerability by manipulating the `Host` header in sign-up requests. The process involves:
1. Accessing an APIM Instance with Sign-Up Enabled: The attacker identifies any APIM instance where user registration is permitted, including one they control.
2. Intercepting a Legitimate Sign-Up Request: Using their controlled instance, the attacker initiates a standard sign-up process.
3. Modifying the Host Header: Before forwarding the request, the attacker alters the `Host` header to point to the target organization’s APIM instance.
4. Submitting the Altered Request: The modified request is sent to the target APIM instance, resulting in the creation of an unauthorized account, despite the sign-up feature being disabled on the victim’s portal.
Potential Risks and Implications
This vulnerability introduces several critical security risks:
– Cross-Tenant Account Creation: Attackers can create accounts on any APIM instance with Basic Authentication enabled, bypassing tenant isolation mechanisms.
– Administrative Control Bypass: The flaw allows for the circumvention of administrative access controls, potentially granting unauthorized users elevated privileges.
– Exposure of Sensitive Information: Unauthorized accounts may access sensitive API documentation and subscription keys, leading to data breaches and further exploitation.
Organizations that have disabled public registration through the UI may remain unaware of their continued vulnerability to this attack vector.
Vulnerability Scope and Severity
APIM instances are susceptible if they meet the following criteria:
– Basic Authentication Configured: The instance utilizes Basic Authentication, regardless of UI settings.
– Developer Portal Deployed and Accessible: The Developer Portal is active and reachable.
– Service Tiers Affected: Developer, Basic, Standard, or Premium tiers are in use.
The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 6.5, classifying it as medium-high severity under CWE-284 (Improper Access Control).
Discovery and Disclosure Timeline
Finnish security researcher Mihalis Haatainen of Bountyy Oy discovered the vulnerability on September 30, 2025, and promptly reported it to the Microsoft Security Response Center (MSRC). Despite submitting detailed reports in September and November, Microsoft closed both cases, stating the behavior was by design and did not constitute a security vulnerability. Following this, the researcher reported the issue to CERT-FI before publicly disclosing it on November 26, 2025.
Recommended Mitigation Measures
Given the absence of an official patch from Microsoft, organizations must take immediate action to secure their APIM instances:
1. Remove Basic Authentication: Completely eliminate the Basic Authentication identity provider from the Azure Portal. Simply disabling sign-up in the UI is insufficient. To do this:
– Navigate to the APIM instance in the Azure Portal.
– Access Developer Portal settings under Identities.
– Delete the Username and password identity provider entirely.
2. Implement Azure Active Directory (AAD) Authentication: Switch exclusively to AAD authentication to enforce proper tenant boundaries and enhance security.
3. Audit Existing User Accounts: Review all current Developer Portal user accounts for unauthorized registrations created after the sign-up feature was supposedly disabled.
4. Monitor Sign-Up Activity: Establish continuous monitoring of sign-up activities and API calls to detect and respond to unauthorized access attempts promptly.
Security teams can utilize publicly available verification scripts and templates released by the researcher to identify vulnerable instances within their organizations.
Conclusion
The identified flaw in Microsoft Azure’s API Management Developer Portal underscores the critical importance of thorough security configurations and vigilant monitoring. Organizations must proactively address this vulnerability by removing Basic Authentication, adopting Azure Active Directory authentication, and implementing robust monitoring practices to safeguard against unauthorized access and potential data breaches.
