HIGH Patch Available

Cross-Tenant Data Access in Azure Machine Learning via Bing Service Misconfiguration

Discovered 20 January 2026 4 views

Overview

A critical multi-tenant vulnerability, dubbed 'AI-gility', was discovered in Microsoft's Azure AI platform, allowing unauthorized access to other customers' data and AI models. The flaw originated from a misconfiguration in an internal Bing search service that was integrated with the Azure Machine Learning (AML) environment. Researchers at Wiz found that this Bing service had an overly permissive network scope and weak authentication, allowing it to be accessed from within any customer's AML compute instance. By chaining this with a Server-Side Request Forgery (SSRF) vulnerability and the ability to control DNS resolution via a malicious notebook, an attacker in one Azure tenant could forge requests to internal Azure control plane APIs. This enabled them to obtain privileged internal credentials. Using these credentials, the attacker could then query the Azure Machine Learning API and gain read and write access to the isolated storage accounts of other tenants in the same region. This allowed for the exfiltration of sensitive training data, poisoning of production AI models, and disruption of critical AI workloads, completely breaking the tenant isolation model that is fundamental to cloud security. Microsoft remediated the vulnerability by enforcing stricter network segmentation, certificate validation, and authentication controls on the internal services.

Affected Systems

Microsoft Azure Machine LearningMicrosoft Azure AI Services

Testing Guide

This vulnerability was in the cloud provider's infrastructure and has been patched. It is not possible for customers to test for this specific historical vulnerability directly. The best approach is to verify that your Azure ML environment follows current security best practices: 1. In the Azure Portal, navigate to your Azure Machine Learning workspace. 2. Under the 'Networking' tab, confirm that the 'Public network access' is set to 'Disabled' and that the workspace is connected to a Virtual Network. 3. Review the 'Identity' settings to ensure Managed Identities are being used for resource access instead of keys or secrets. 4. Check the 'Encryption' settings to see if you are using Microsoft-managed or customer-managed keys.

Mitigation Steps

1. **No User Action Required (Vendor Patched):** Microsoft patched the underlying infrastructure misconfiguration, and no action is required from Azure customers. 2. **Follow Cloud Security Best Practices:** Despite the patch, always adhere to the principle of least privilege. Use Virtual Networks (VNet) to isolate your Azure ML workspaces and compute resources from the public internet. 3. **Use Customer-Managed Keys:** For highly sensitive data, use Customer-Managed Encryption Keys (CMEK) to encrypt data at rest, providing an additional layer of control. 4. **Monitor Audit Logs:** Regularly review Azure Monitor and Azure Activity Logs for your ML workspaces for any anomalous API calls or access patterns.

Patch Details

Microsoft addressed the vulnerability on their backend infrastructure in early 2024 after responsible disclosure by Wiz.

Sources

https://www.wiz.io/blog/ai-gility-what-we-learned-from-attacking-azure-ai-and-machine-learning-services

← Back to vulnerabilities