In March 2025, security consultant Haakon Gulbrandsrud of Binary Security unveiled a critical vulnerability within Microsoft's Azure API Connections, exposing sensitive cloud data to potential unauthorized access. This discovery underscores the pressing need for robust security measures in cloud infrastructures.

Unveiling the Vulnerability

During a routine client engagement, Gulbrandsrud examined Azure Resources and identified an anomaly in the API Connection resource. He observed that individuals with Reader permissions could exploit undocumented APIs to escalate privileges and access backend resources without proper authorization. This flaw affected services such as Key Vaults, Storage Blobs, Defender ATP, Enterprise Jira, and Salesforce servers.

Technical Breakdown

The vulnerability centers on the testLinks and testRequests fields within the API Connection's response. These fields act as proxies between the Azure Management API and backend servers. Alarmingly, any user with Reader permissions could execute arbitrary GET requests through these connections, effectively bypassing intended security protocols. For instance, a user could retrieve a list of Slack channels by sending a GET request to the /extensions/proxy/conversations.list endpoint, receiving a response identical to a direct query on Slack's API.

Implications for Azure Services

The ramifications of this vulnerability are extensive:

  • Key Vaults: Unauthorized users could list and retrieve secret values, compromising sensitive data.

  • SQL Databases: Attackers could list databases, datasets, and extract rows from tables without proper authorization.

  • Jira: Malicious actors could list projects, search for issues, and access detailed information about specific issues.

This flaw also introduced the potential for Server-Side Request Forgery (SSRF) attacks. By manipulating the X-Request-Jirainstance header, attackers could redirect requests to malicious servers, capturing API tokens and further exploiting the system.

Microsoft's Response and Mitigation

Upon disclosure, Microsoft acknowledged the vulnerability and implemented fixes between January 6 and February 20, 2025. The primary remediation involved restricting the /extensions/proxy endpoint to prevent unauthorized GET requests. However, the initial response faced criticism for its lack of transparency and the time taken to address the issue.

Broader Context: Azure's Security Challenges

This incident is not isolated. Binary Security has previously identified vulnerabilities in Azure's API Management (APIM) service, where attackers with Reader permissions could escalate to full administrative control by exploiting legacy API versions. These findings highlight systemic issues within Azure's access control mechanisms and the need for continuous security assessments.

Recommendations for Azure Users

To safeguard against such vulnerabilities, organizations should:

  1. Review Permissions: Regularly audit and minimize the assignment of Reader permissions to essential personnel only.

  2. Disable Legacy APIs: Proactively disable outdated API versions to prevent exploitation of known vulnerabilities.

  3. Implement Network Controls: Restrict access to management interfaces using Virtual Networks (VNETs), jump hosts, and dedicated IP addresses.

  4. Monitor API Activity: Continuously monitor API logs for unusual activities and unauthorized access attempts.

By adopting these measures, organizations can enhance their security posture and mitigate risks associated with cloud infrastructure vulnerabilities.

In conclusion, the Azure API Connections vulnerability serves as a stark reminder of the complexities and challenges inherent in cloud security. It emphasizes the importance of vigilant monitoring, timely updates, and a proactive approach to access management to protect sensitive data in the cloud.