Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Command injection in Azure Cloud Shell enables remote attackers to execute arbitrary commands and spoof user sessions when victims interact with malicious content. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), allowing network-based attackers to achieve high impact across confidentiality, integrity, and availability with scope change (S:C), indicating potential container escape or cross-tenant impact. Microsoft has released a patch per MSRC advisory. EPSS data not available, no CISA KEV listing identified, suggesting targeted rather than widespread exploitation at time of analysis.
Technical ContextAI
Azure Cloud Shell is Microsoft's browser-based command-line environment providing authenticated access to Azure resources via Bash or PowerShell, running in isolated Linux containers. This command injection vulnerability (CWE-77) occurs when the service fails to properly sanitize user-supplied input before passing it to system command execution functions. The CVSS scope change metric (S:C) indicates the vulnerability may allow escape from the Cloud Shell container's security boundary, potentially affecting resources beyond the vulnerable component itself. Command injection flaws typically arise from unsafe concatenation of user input with shell commands, use of dangerous functions like eval() or exec(), or insufficient input validation in web-based terminal implementations.
RemediationAI
Microsoft has released a patch for Azure Cloud Shell per MSRC advisory CVE-2026-35428 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35428). Since Azure Cloud Shell is a Microsoft-hosted service, users do not need to manually apply updates - Microsoft manages patching on the backend infrastructure. Organizations should verify patch deployment by consulting the MSRC advisory for confirmation dates and reviewing Azure Service Health notifications for their tenant. As interim mitigations until patch confirmation: restrict Cloud Shell access using Azure RBAC policies to only trusted administrators who require it (reduces attack surface by limiting potential victims); implement Conditional Access policies requiring compliant devices and trusted locations for Cloud Shell sessions (limits attacker ability to leverage compromised credentials post-exploitation); monitor Azure Activity Logs for unexpected Cloud Shell usage patterns or commands executed from unusual IP addresses/locations; educate administrators not to open untrusted links or paste unknown commands while Cloud Shell sessions are active (reduces user interaction attack vector). Note that completely disabling Cloud Shell eliminates risk but may disrupt legitimate administrative workflows - assess operational impact before implementation. Web content filtering to block known malicious domains can reduce phishing vector effectiveness.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28453
GHSA-mgh8-qx2p-mmfj