A important safety vulnerability in Microsoft Azure API Administration (APIM) Developer Portal permits attackers to register accounts throughout totally different tenant situations, even when directors have explicitly disabled person signup by means of the portal interface.
The flaw, which Microsoft has categorized as “by design,” stays unpatched as of December 1, 2025, leaving organizations doubtlessly uncovered to unauthorized entry.
The safety challenge stems from a elementary design flaw the place disabling signup within the Azure Portal UI solely hides the registration type visually, whereas the underlying /signup API endpoint stays totally lively and accessible.
When Fundamental Authentication is configured for the Developer Portal, the backend API continues to just accept registration requests with out validating tenant boundaries or verifying that the request originates from a certified supply.
Microsoft Azure API Administration Flaw
Attackers exploit this vulnerability by manipulating the Host header in signup requests. The assault requires entry to any APIM occasion with signup enabled, together with one managed by the attacker, the place they’ll intercept a reliable signup request, modify the Host header to level to a goal group’s APIM occasion, and efficiently create an account regardless of signup being “disabled” on the sufferer’s portal.
The vulnerability permits a number of important safety dangers, together with cross-tenant account creation on any APIM occasion with Fundamental Authentication enabled, full bypass of administrative entry controls, and potential publicity of delicate API documentation and subscription keys. Organizations that believed they’d disabled public registration might unknowingly stay weak to this assault vector.
APIM situations are weak if Fundamental Authentication is configured (no matter UI settings), the Developer Portal is deployed and accessible, and the service runs on Developer, Fundamental, Customary, or Premium tiers. The vulnerability has been assigned a CVSS rating of 6.5, categorized as medium-high severity beneath CWE-284 (Improper Entry Management).
Finnish safety researcher Mihalis Haatainen of Bountyy Oy found the vulnerability on September 30, 2025, and instantly reported it to Microsoft Safety Response Middle (MSRC).
After submitting two detailed reviews in September and November, Microsoft closed each circumstances, stating the habits was “by design” and didn’t represent a safety vulnerability. The researcher subsequently reported the problem to CERT-FI earlier than publicly disclosing it on November 26, 2025.
Since Microsoft has not launched a patch, organizations should take speedy motion to guard their APIM situations. Essentially the most important step is totally eradicating the Fundamental Authentication id supplier from the Azure Portal, not merely disabling signup within the UI.
Organizations ought to navigate to their APIM occasion, entry Developer Portal settings beneath Identities, and delete the “Username and password” id supplier solely.
Further protecting measures embody switching completely to Azure Lively Listing authentication to implement correct tenant boundaries, auditing all current Developer Portal person accounts for unauthorized registrations created after signup was supposedly disabled, and implementing steady monitoring of signup exercise and API calls.
Safety groups can use the publicly out there Python verification script and Nuclei template launched by the researcher to determine weak situations inside their organizations.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
