InfoSecBulletin Cybersecurity for mankind
A critical vulnerability in Microsoft Azure’s API Connection allowed attackers to breach resources in various Azure tenants globally. Gulbrandsrud discovered the flaw that earned him a $40,000 bounty and a chance to present at Black Hat. This flaw exploited Azure’s shared API Management setup, allowing unauthorized access to Key Vaults, Azure SQL databases, and third-party services like Jira and Salesforce.
The vulnerability involved Azure’s shared APIM instance, where all API Connections are hosted, leading to security risks that go beyond tenant boundaries.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Azure’s Default API Connection Vulnerability:
The vulnerability was found in how Azure Resource Manager (ARM) handled the DynamicInvoke endpoint, which processes API Connection requests using highly privileged tokens.
When ARM receives a DynamicInvoke request, it constructs URLs using the pattern /apim/[ConnectorType]/[ConnectionId]/[Action-Endpoint] with elevated authentication tokens.
Gulbrandsrud found that attackers could exploit a custom Logic App connector with a weak path parameter to perform path traversal attacks.
The researcher demonstrated this by defining a simple endpoint with a {path} parameter, then supplying malicious input like ../../../../[VictimConnectorType]/[VictimConnectionID]/[action].
When ARM processed this request, URL normalization resulted in direct access to victim connections.
The attack was demonstrated against an Azure Key Vault connection:
Mitigation:
Microsoft acknowledged the vulnerability within three days of the April 7, 2025 disclosure and applied fixes within a week. The first fix was to create a blacklist for path parameters to block ../ sequences and their URL-encoded versions.
Gulbrandsrud mentioned that this solution might not be enough, and suggested alternatives like path normalization techniques or altering the API connection paths.
The vulnerability required Contributor-level privileges to the attacking tenant’s API Connection, limiting the attack surface to privileged users.
SafeLine: A Free Zero Trust Web Application Firewall for 2026
