CRITICAL Patch Available

Cross-Tenant Data Access in Azure AI Services via 'a la carte' API Manipulation

Discovered 18 November 2025 20 views

Overview

Security researchers at Wiz discovered a critical, multi-stage vulnerability chain within Microsoft's Azure AI platform, allowing for a full breakdown of multi-tenant isolation. Dubbed 'a la carte', the attack enabled a malicious actor in one Azure tenant to access sensitive data, including AI models and training datasets, from any other tenant. The attack began by gaining access to an overly permissive, internal Azure AI service principal. Researchers achieved this by exploiting a misconfiguration in the Azure Machine Learning compute instance creation process. With control over this privileged identity, they could perform actions on behalf of other tenants. The core of the exploit involved a 'confused deputy' attack. The attacker would use their own customer-managed key (CMK) to encrypt data on a victim's Azure AI service instance. Then, leveraging the compromised service principal, they would command the victim's service to decrypt the data. Since the service had legitimate access to the data but was being directed by the attacker, it would decrypt the sensitive information and return it to the attacker's storage account. The attack successfully bypassed standard tenant boundaries, demonstrating a significant architectural flaw in the platform's internal security model. Microsoft swiftly patched the issue by revoking vulnerable certificates and implementing stricter network and identity controls for its internal services.

Affected Systems

Azure Machine LearningAzure Cognitive SearchAzure OpenAI Service

Testing Guide

This vulnerability was a server-side flaw within the Azure infrastructure and cannot be tested by customers. The primary method of confirmation is to rely on Microsoft's official security advisories and post-mortem reports confirming the issue has been remediated across the platform.

Mitigation Steps

1. **Cloud Provider Patching**: This vulnerability was server-side and has been patched by Microsoft. No customer action is required to fix the root cause. 2. **Rotate Keys**: As a best practice following a significant cloud vulnerability disclosure, customers should consider rotating customer-managed encryption keys (CMKs). 3. **Monitor Access Logs**: Regularly review Azure Monitor and Microsoft Sentinel logs for anomalous access patterns to sensitive AI resources, especially from unexpected service principals. 4. **Enforce Network Controls**: Use private endpoints and virtual network service endpoints to restrict public access to Azure AI services.

Patch Details

The vulnerability was mitigated by Microsoft on the backend. Microsoft issued security advisories and patched the affected internal services.

Sources

← Back to vulnerabilities