Critical Azure API Connection Vulnerability Allows Privilege Escalation and Secret Exfiltration
2025-03-12
Binary Security researchers discovered undocumented APIs in Azure API Connections, enabling privilege escalation and secret exfiltration from backend resources like Key Vaults, Storage Blobs, Defender ATP, and even enterprise Jira and Salesforce servers. The vulnerability stems from the ability of any user with read access to an API connection to invoke any defined GET request, bypassing security controls and accessing sensitive data. Microsoft has acknowledged and patched the vulnerability.