Microsoft Azure OpenAI Service

The main articles are:

• SaaS - History. Philosophy. Development drivers
• Big Data
• Data mining Data mining

2025: Microsoft's cloud service with OpenAI is leaky. It can be intercepted by hackers

in FSTEC the tenth of August sent a warning about the discovery of a critical vulnerability BDU:2025-09637^[1] in the cloud platform. Azure OpenAI The maximum hazard level is specified - 10 points according to CVSS version 3.1. The vulnerability was confirmed by the manufacturer, which has already released a fix for it. FSTEC specialists recommend installing it as quickly as possible.

𝓲

Фото: Freepik

The vulnerability is associated with insufficient validation of incoming requests. It belongs to the category of Server-Side Request Forgery (SSRF or CWE-918). Exploitation of the vulnerability can allow an attacker acting remotely to elevate their privileges on the server by spoofing the link when interacting with the server and gaining access to authentication tokens.

BDU:2025-09637 is a critical Elevation of Privilege vulnerability in Microsoft's Azure OpenAI service based on server request tampering (SSRF), "Stanislav Savchenko, leading expert of the SyberOK knowledge base, explained to TAdviser the situation with the vulnerability. - It affects Azure OpenAI cloud services, allowing attackers to manipulate server requests to access internal resources, such as the metadata of Azure instances, and potentially receive tokens or credentials to escalate rights. This can lead to unauthorized access to sensitive data, AI models and administrative interfaces.

That is, attackers can use this vulnerability to intercept the management of Azure cloud resources and gain access to data that companies store in cloud applications. In particular, the information accumulated in OpenAI AI models and service management interfaces for working with them are at risk.

First of all, the vulnerability BDU:2025-09637 applies to those organizations that actively use Microsoft platforms for cloud infrastructure and applications, especially within the framework of enterprise solutions and services based on AI, "warned TAdviser readers Ekaterina Edemskaya, an analyst engineer at Gazinformservice. - Such companies can include large banks, government agencies, telecom operators, as well as organizations working in the field of financial technology and e-commerce. If the vulnerability is successfully exploited, attackers can gain unauthorized access to critical data, as well as elevate their privileges, which will compromise system security and potentially leak information.

Ekaterina Edemskaya also notes that the vulnerability itself does not provide an opportunity for mass attacks. The main threat is that it allows attackers to act secretly and purposefully. To organize larger attacks, attackers can exploit this vulnerability as part of a comprehensive strategy.

It is impossible to fully protect the cloud platform, since much depends on the service provider itself, - complained TAdviser about the complexity of cloud protection Alexander Samsonov, a leading expert in the development and testing department of the Security Code company. - For the vulnerability under consideration, official fixes from Microsoft have been released - they must be installed as soon as possible. It is also strongly recommended that you update your software regularly. Additionally, abnormal activity should be monitored, especially unusual requests to internal resources from Azure OpenAI services. If possible, it is worth applying network rules to restrict outbound traffic from Azure OpenAI.

2021: Providing access to GPT-3 language models from OpenAI

On November 2, 2021 Microsoft , it announced Azure OpenAI Service, a service that will provide cloudy the company's customers with access to OpenAI language models. GPT-3 They will be able to take advantage of powerful - combined with AIalgorithms corporate opportunities such Azure as security, privacy data and flexible scaling.

The solution can be applied in a wide range of scenarios, from converting natural language into program code to generalizing large volumes of text and generating answers to questions. For example, a sports franchise that develops its own application for interacting with fans during matches can use the service's capabilities to quickly translate the flow of information received from match commentators into short squeezes of the game's highlights. And the marketing team can use the capabilities of algorithms to quickly generate original content when creating posts on social networks or blogs.

Microsoft will offer tools for filtering and moderating the content of user requests and responses to help models work efficiently in each individual application. Customers will be able to customize these filters according to their business needs, since the language style suitable for, for example, a video game character may differ from that intended for company executives.

To ensure the correct and ethical use of algorithms, Azure OpenAI Service will first be available only by invitation. The first customers will be companies that plan to implement clearly defined use cases that include ethical principles and strategies for using AI. Working with these first clients will help Microsoft see how these measures work in practice and make adjustments if necessary. Beyond that, Microsoft will also give customers the ability to monitor to identify possible cases of abuse or misuse to help them make sure their own users are using the technology as intended.

The initiative was a continuation of cooperation between Microsoft and OpenAI. Microsoft previously developed a cloud supercomputer to train massive AI models in collaboration and exclusively for OpenAI. And in the spring of 2021, Microsoft announced the first use of GPT-3 in its product: the company has integrated the algorithm into the low-code platform for Power Apps development, which allows you to create applications without deep knowledge of code or formulas.

Notes