CVE-2025-53767: OpenAI Python SSRF EoP, no auth

CISO Take

This is a maximum-severity SSRF vulnerability in Azure OpenAI's API infrastructure — unauthenticated, network-exploitable, zero user interaction. An attacker can forge server-side requests from within Azure's internal network, likely reaching Instance Metadata Service endpoints to steal managed identity credentials or pivot to other tenant resources. Microsoft owns the patch for this managed service, but immediately audit your Azure OpenAI resource exposure, review managed identity permissions scoped to those resources, and watch MSRC for patch confirmation before considering this resolved.

What is the risk?

CVSS 10.0 with SSRF (CWE-918) in a hyperscale managed AI API. Scope is Changed (S:C), meaning a successful exploit breaks out of the Azure OpenAI service boundary into adjacent Azure infrastructure. With PR:N and AC:L, exploitation requires only a crafted API request — no credentials, no brute-force, no social engineering. The real blast radius is credential theft via Azure IMDS, cross-tenant data access, or lateral movement within the attacker's Azure footprint. Effective exposure is every organization with an Azure OpenAI endpoint publicly reachable or accessible from untrusted networks.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenAI Python	pip	—	No patch
31.0K OpenSSF 6.9 16.6K dependents Pushed 6d ago 14% patched ~23d to patch Full package profile →

Do you use OpenAI Python? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

1.0%

chance of exploitation in 30 days

Higher than 59% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A None

What should I do?

6 steps

Check MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767) daily — this is a Microsoft-managed service, so the patch is deployed server-side without customer action.
Temporarily restrict Azure OpenAI endpoint access via Azure Private Endpoints or IP allowlisting to reduce attack surface.
Audit managed identity permissions on Azure OpenAI resources — apply least-privilege and revoke any overly broad roles (Contributor, Owner).
Enable Azure Monitor / Defender for Cloud alerts on Azure OpenAI resources to detect anomalous outbound request patterns.
Review Azure Activity Logs for unexpected API calls originating from your Azure OpenAI resource identity.
If using Azure OpenAI in agentic workflows, verify that tool integrations do not expose internal service endpoints accessible via SSRF.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation API Inference AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0075 - Cloud Service Discovery AML.T0085 - Data from AI Services AML.T0096 - AI Service API AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - AI System Security Controls

NIST AI RMF

GOVERN 1.7 - Organizational roles and responsibilities for AI risk MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-53767?

This is a maximum-severity SSRF vulnerability in Azure OpenAI's API infrastructure — unauthenticated, network-exploitable, zero user interaction. An attacker can forge server-side requests from within Azure's internal network, likely reaching Instance Metadata Service endpoints to steal managed identity credentials or pivot to other tenant resources. Microsoft owns the patch for this managed service, but immediately audit your Azure OpenAI resource exposure, review managed identity permissions scoped to those resources, and watch MSRC for patch confirmation before considering this resolved.

Is CVE-2025-53767 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-53767, increasing the risk of exploitation.

How to fix CVE-2025-53767?

1. Check MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767) daily — this is a Microsoft-managed service, so the patch is deployed server-side without customer action. 2. Temporarily restrict Azure OpenAI endpoint access via Azure Private Endpoints or IP allowlisting to reduce attack surface. 3. Audit managed identity permissions on Azure OpenAI resources — apply least-privilege and revoke any overly broad roles (Contributor, Owner). 4. Enable Azure Monitor / Defender for Cloud alerts on Azure OpenAI resources to detect anomalous outbound request patterns. 5. Review Azure Activity Logs for unexpected API calls originating from your Azure OpenAI resource identity. 6. If using Azure OpenAI in agentic workflows, verify that tool integrations do not expose internal service endpoints accessible via SSRF.

What systems are affected by CVE-2025-53767?

This vulnerability affects the following AI/ML architecture patterns: Azure OpenAI API consumers, LLM API integrations, RAG pipelines, agent frameworks, Copilot integrations, enterprise AI gateways.

What is the CVSS score for CVE-2025-53767?

CVE-2025-53767 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 1.01%.

What is the AI security impact?

Affected AI Architectures

Azure OpenAI API consumersLLM API integrationsRAG pipelinesagent frameworksCopilot integrationsenterprise AI gateways

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0075 Cloud Service Discovery

AML.T0085 Data from AI Services

AML.T0096 AI Service API

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Azure OpenAI Elevation of Privilege Vulnerability

Exploitation Scenario

An adversary identifies a publicly accessible Azure OpenAI deployment (discoverable via Shodan, Azure subdomain enumeration, or leaked API endpoints in code repos). They craft a malicious request to the Azure OpenAI API containing a URL or parameter that triggers a server-side HTTP request to the Azure Instance Metadata Service (169.254.169.254/metadata/identity/oauth2/token). The SSRF returns a managed identity access token with whatever RBAC permissions are assigned to that Azure OpenAI resource. The attacker uses this token to authenticate against Azure management APIs, access Key Vault secrets, exfiltrate Blob Storage contents, or pivot laterally across the customer's Azure subscription — all without ever having had valid credentials.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.