Azure API Management Flaw Allowed Privilege Escalation

A critical vulnerability was identified in Azure API Management (APIM), allowing users with Reader-level access to escalate their privileges to Contributor-level access. This flaw enabled unauthorized users to read, modify, and delete APIM configurations via the Direct Management API.

Researchers from Binary Security attributed the issue to a vulnerability in the Azure Resource Manager (ARM) API, which is used to interact with APIM resources. Although Microsoft had previously introduced measures to limit Reader access in newer API versions, this bug allowed those restrictions to be bypassed.

An attacker could exploit this flaw by using a specific ARM API endpoint to access the default admin keys.

Azure API Management Settings

A recently discovered vulnerability in Azure API Management (APIM) allowed users with Reader-level access to escalate privileges to Contributor-level, enabling them to perform any management operation. By obtaining default admin keys, attackers could generate SharedAccessSignatures, giving them full control over the APIM resource via the Direct Management API.

This flaw also allowed attackers to access sensitive information such as subscription keys, identity provider keys, and named value secrets, potentially compromising Azure, Entra ID, and other systems. Microsoft quickly addressed the issue by restricting access to the affected ARM API for Reader-level users, applying the fix across all APIM instances.

Experts emphasize the importance of defense in depth, advising organizations to make critical resources private and accessible only through their virtual network (VNET) and CI/CD runners. As vulnerabilities continue to emerge, proactive security measures are crucial in safeguarding Azure environments.

Share this post :