AI Threat Alert AI Threat Alert

CVE-2025-53767: Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

CRITICAL PoC AVAILABLE CISA: TRACK*
Published August 7, 2025
CISO Take

This is a maximum-severity SSRF vulnerability in Azure OpenAI's API infrastructure — unauthenticated, network-exploitable, zero user interaction. An attacker can forge server-side requests from within Azure's internal network, likely reaching Instance Metadata Service endpoints to steal managed identity credentials or pivot to other tenant resources. Microsoft owns the patch for this managed service, but immediately audit your Azure OpenAI resource exposure, review managed identity permissions scoped to those resources, and watch MSRC for patch confirmation before considering this resolved.

Risk Assessment

CVSS 10.0 with SSRF (CWE-918) in a hyperscale managed AI API. Scope is Changed (S:C), meaning a successful exploit breaks out of the Azure OpenAI service boundary into adjacent Azure infrastructure. With PR:N and AC:L, exploitation requires only a crafted API request — no credentials, no brute-force, no social engineering. The real blast radius is credential theft via Azure IMDS, cross-tenant data access, or lateral movement within the attacker's Azure footprint. Effective exposure is every organization with an Azure OpenAI endpoint publicly reachable or accessible from untrusted networks.

Affected Systems

Package Ecosystem Vulnerable Range Patched
azure_openai pip No patch
30.7K OpenSSF 6.3 13.8K dependents Pushed yesterday 0% patched Full package profile →

Do you use azure_openai? You're affected.

Severity & Risk

CVSS 3.1
10.0 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 65% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A None

Recommended Action

6 steps

  1. Check MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767) daily — this is a Microsoft-managed service, so the patch is deployed server-side without customer action.

  2. Temporarily restrict Azure OpenAI endpoint access via Azure Private Endpoints or IP allowlisting to reduce attack surface.

  3. Audit managed identity permissions on Azure OpenAI resources — apply least-privilege and revoke any overly broad roles (Contributor, Owner).

  4. Enable Azure Monitor / Defender for Cloud alerts on Azure OpenAI resources to detect anomalous outbound request patterns.

  5. Review Azure Activity Logs for unexpected API calls originating from your Azure OpenAI resource identity.

  6. If using Azure OpenAI in agentic workflows, verify that tool integrations do not expose internal service endpoints accessible via SSRF.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Privacy Violation API Inference AML.T0040 AML.T0049 AML.T0075 AML.T0085 AML.T0096 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI System Security Controls
NIST AI RMF
GOVERN 1.7 - Organizational roles and responsibilities for AI risk MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-53767?

This is a maximum-severity SSRF vulnerability in Azure OpenAI's API infrastructure — unauthenticated, network-exploitable, zero user interaction. An attacker can forge server-side requests from within Azure's internal network, likely reaching Instance Metadata Service endpoints to steal managed identity credentials or pivot to other tenant resources. Microsoft owns the patch for this managed service, but immediately audit your Azure OpenAI resource exposure, review managed identity permissions scoped to those resources, and watch MSRC for patch confirmation before considering this resolved.

Is CVE-2025-53767 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-53767, increasing the risk of exploitation.

How to fix CVE-2025-53767?

1. Check MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767) daily — this is a Microsoft-managed service, so the patch is deployed server-side without customer action. 2. Temporarily restrict Azure OpenAI endpoint access via Azure Private Endpoints or IP allowlisting to reduce attack surface. 3. Audit managed identity permissions on Azure OpenAI resources — apply least-privilege and revoke any overly broad roles (Contributor, Owner). 4. Enable Azure Monitor / Defender for Cloud alerts on Azure OpenAI resources to detect anomalous outbound request patterns. 5. Review Azure Activity Logs for unexpected API calls originating from your Azure OpenAI resource identity. 6. If using Azure OpenAI in agentic workflows, verify that tool integrations do not expose internal service endpoints accessible via SSRF.

What systems are affected by CVE-2025-53767?

This vulnerability affects the following AI/ML architecture patterns: Azure OpenAI API consumers, LLM API integrations, RAG pipelines, agent frameworks, Copilot integrations, enterprise AI gateways.

What is the CVSS score for CVE-2025-53767?

CVE-2025-53767 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.47%.

Technical Details

NVD Description

Azure OpenAI Elevation of Privilege Vulnerability

Exploitation Scenario

An adversary identifies a publicly accessible Azure OpenAI deployment (discoverable via Shodan, Azure subdomain enumeration, or leaked API endpoints in code repos). They craft a malicious request to the Azure OpenAI API containing a URL or parameter that triggers a server-side HTTP request to the Azure Instance Metadata Service (169.254.169.254/metadata/identity/oauth2/token). The SSRF returns a managed identity access token with whatever RBAC permissions are assigned to that Azure OpenAI resource. The attacker uses this token to authenticate against Azure management APIs, access Key Vault secrets, exfiltrate Blob Storage contents, or pivot laterally across the customer's Azure subscription — all without ever having had valid credentials.

Weaknesses (CWE)

CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

References

Timeline

Published
August 7, 2025
Last Modified
August 14, 2025
First Seen
August 7, 2025

Related Vulnerabilities

CRITICAL CVE-2023-3686 9.8

QuickAI: unauthenticated SQLi exposes OpenAI API keys

Same package: openai
HIGH CVE-2025-65805 7.5

OAI CN5G AMF: Unauthenticated buffer overflow, RCE/DoS

Same package: openai
HIGH CVE-2025-66786 7.5

OAI CN5G AMF: unauthenticated JSON DoS on 5G SBI interface

Same package: openai
MEDIUM CVE-2025-7021 6.5

OpenAI Operator: fullscreen spoofing captures credentials

Same package: openai
MEDIUM CVE-2025-26265 6.5

openairinterface5g: segfault enables DoS via crafted UE message

Same package: openai
Back to Threat Feed