MEDIUM Patch Available

Azure OpenAI Service Insecure Default Network Settings Allow Unauthorized Endpoint Discovery

Discovered 30 June 2025 6 views

Overview

A security analysis of cloud AI services revealed that Azure OpenAI Service instances, by default, were provisioned with a publicly accessible API endpoint. Unless an administrator explicitly configured a VNet service endpoint or a private endpoint during or after setup, the service's API endpoint would be reachable from the public internet. While access still requires a valid API key, this configuration exposed the endpoint to a range of attacks, including API key brute-forcing, credential stuffing attacks using leaked keys from other breaches, and reconnaissance for exploiting potential future zero-day vulnerabilities in the API gateway. Security researchers used internet-wide scanning to discover thousands of such exposed endpoints. This public exposure significantly increases the attack surface, violating the principle of least privilege for network access. In misconfigured enterprise environments, overly permissive firewall egress rules could allow internal services to connect to these public endpoints, bypassing intended VNet traffic flows. The core issue was a default setting that prioritized ease of use over a secure-by-default posture, placing the onus on customers to manually lock down network access.

Affected Systems

Azure OpenAI Service

Testing Guide

1. **Check Azure Portal**: For each of your Azure OpenAI resources, navigate to the 'Networking' tab and verify that 'Public network access' is set to 'Disabled' or 'Enabled from selected virtual networks and IP addresses'. If 'Enabled from all networks' is selected, you are affected. 2. **Run a Network Scan**: From an external machine not on your VNet, attempt to connect to your service endpoint using a tool like `nmap` or `Test-NetConnection`. ```powershell Test-NetConnection your-aoai-resource.openai.azure.com -Port 443 ``` If `TcpTestSucceeded` is `True`, your endpoint is publicly accessible.

Mitigation Steps

1. **Disable Public Network Access**: In the Azure Portal, navigate to your Azure OpenAI resource, go to the 'Networking' tab, and explicitly select 'Disabled' for public network access. 2. **Use Private Endpoints**: For all internal traffic, connect to your OpenAI resource using a Private Endpoint. This ensures traffic remains on the Microsoft backbone network and is not exposed to the internet. 3. **Implement Azure Policy**: Use Azure Policy to enforce that all `Microsoft.CognitiveServices/accounts` resources must have public network access disabled. Create an audit policy to detect non-compliant existing resources. 4. **Rotate API Keys**: Regularly rotate API keys and store them securely in Azure Key Vault, rather than embedding them in application code or configuration files.

Patch Details

This is a configuration issue. Microsoft has updated its documentation and Well-Architected Framework to strongly recommend disabling public access as a best practice.

Sources

← Back to vulnerabilities