CRITICAL Patch AvailableCVE-2025-23415

Server-Side Request Forgery (SSRF) in Azure AI Services Leading to Internal Metadata Exposure

Discovered 1 August 2025 8 views

Overview

Cloud security firm Wiz discovered a critical Server-Side Request Forgery (SSRF) vulnerability in the data ingestion component of a core Azure AI service. The vulnerable feature allowed users to import data from an external URL for processing or indexing. The server-side component responsible for fetching the data from the user-provided URL failed to properly validate and sanitize the input. This allowed an authenticated attacker to provide internal Azure IP addresses and special hostnames instead of public URLs. The most significant impact of this flaw was the ability to target the Azure Instance Metadata Service (IMDS) endpoint at `169.254.169.254`. By crafting a request to this endpoint, the attacker could trick the Azure AI service into making a request to its own metadata service and returning the response. This response included temporary, short-lived managed identity credentials for the underlying service infrastructure. An attacker could then use these exfiltrated credentials to authenticate as the compromised Azure service and potentially access other internal Azure resources, including storage accounts and databases, belonging to other tenants. The vulnerability exposed a critical flaw in a multi-tenant service, where a weakness in input validation could be leveraged to break tenant isolation boundaries. Microsoft addressed the vulnerability by implementing a strict allowlist for outbound connections and enhancing URL validation.

Affected Systems

Azure AI SearchAzure Machine Learning

Testing Guide

1. This was a server-side vulnerability in an Azure service, so direct testing by customers is not feasible or permitted. 2. To test your own applications for similar vulnerabilities, use a web application scanner or provide an internal-only URL (like a Burp Suite Collaborator link or an internal IP) to any feature that fetches data from a URL. 3. If the application successfully connects to your internal-only endpoint, it is vulnerable to SSRF.

Mitigation Steps

1. **No User Action Required (Service-Side Fix):** The primary vulnerability was fixed by Microsoft on the Azure backend. Customers do not need to patch their own applications. 2. **Defense in Depth - Network Security:** For custom applications, always deploy services that handle user-provided URLs within a virtual network with strict egress rules that deny access to internal IP ranges and the IMDS endpoint. 3. **Enforce IMDSv2:** In your own virtual machines, enforce the use of IMDSv2, which requires an additional header and provides protection against SSRF attacks. 4. **Review Service Permissions:** Regularly audit the permissions granted to managed identities for your services, following the principle of least privilege to limit the impact of a credential leak.

Patch Details

Microsoft deployed a server-side patch to the Azure AI services infrastructure in August 2025.

Sources

← Back to vulnerabilities