CRITICAL Patch Available

Cross-Tenant Vulnerability in Azure AI Allows Access to Other Customers' Resources

Discovered 5 September 2025 0 views

Overview

A critical multi-tenancy vulnerability, dubbed 'AI Jacking', was discovered in Microsoft's Azure AI platform (specifically, Azure Machine Learning Compute Instances). Researchers found a misconfiguration in the service's internal networking and authentication mechanisms that allowed an attacker with access to one Azure ML workspace to break out of their tenant boundary. By exploiting a Server-Side Request Forgery (SSRF) vulnerability and chaining it with an internal privilege escalation, an attacker could gain root access to the underlying compute node shared by multiple customers. From this compromised node, the attacker could then access the sensitive data, training jobs, and deployed models of other Azure tenants hosted on the same physical infrastructure. This complete breakdown of tenant isolation posed a severe risk of intellectual property theft and data leakage for organizations relying on the affected Azure AI services for their machine learning workloads. The discovery highlighted the complex security challenges of building secure multi-tenant cloud AI platforms.

Affected Systems

Microsoft Azure Machine Learning

Testing Guide

This vulnerability existed in the cloud provider's infrastructure and cannot be directly tested by customers. The primary method of verification is to confirm with Microsoft's security advisories that the issue was resolved. Customers can audit their environments to ensure they are following security best practices, such as deploying resources inside a VNet.

Mitigation Steps

1. **No Customer Action Required for Patch:** Microsoft patched the vulnerability on their backend infrastructure, and the fix was rolled out automatically to all customers. 2. **Use Virtual Networks (VNet):** As a defense-in-depth best practice, deploy Azure ML Compute Instances and other resources within a private Virtual Network to restrict inbound and outbound traffic. 3. **Apply Principle of Least Privilege:** Use Azure IAM roles to ensure that users and service principals only have the minimum necessary permissions to perform their tasks. 4. **Monitor Audit Logs:** Regularly review Azure Monitor and Microsoft Sentinel logs for suspicious activity related to compute instances or cross-service communication.

Patch Details

Microsoft fully remediated this issue on the Azure backend in September 2025. No customer action was required to receive the protection.

Sources

https://www.wiz.io/blog/ai-jacking-new-attack-vector-in-the-age-of-ai

← Back to vulnerabilities