Azure Cloud Shell network spoofing (CVE-2026-35428)

Patch now - CVE-2026-35428 is a critical command injection vulnerability in Azure Cloud Shell that lets an unauthenticated attacker perform network spoofing after tricking a user into interacting with a malicious request (CVSS 9.6). Microsoft has released a fix; update your Cloud Shell environment immediately.

Overview

CVE-2026-35428 is a command injection vulnerability in Azure Cloud Shell, the browser-based shell environment for managing Azure resources. The flaw exists in how Cloud Shell handles special characters in input, allowing an attacker with no prior access to inject arbitrary commands.

The attack requires user interaction—the target must click a crafted link or open a malicious file in Cloud Shell. Once triggered, the attacker can spoof network services, potentially intercepting or redirecting traffic, displaying fake login prompts, or masquerading as legitimate Azure endpoints.

Technical Details

• Attack Vector: NETWORK
• Attack Complexity: LOW
• Privileges Required: NONE
• User Interaction: REQUIRED
• Scope: UNCHANGED
• Confidentiality Impact: HIGH
• Integrity Impact: HIGH
• Availability Impact: HIGH

The vulnerability is rated CRITICAL (9.6) due to the combination of network-based exploitation and zero prerequisites. The high CVSS score reflects the potential for complete spoofing of trusted Azure services, which could lead to credential theft or lateral movement within an organization’s Azure tenancy.

Affected Versions

All current versions of Azure Cloud Shell that haven’t applied the latest update from Microsoft are affected. Microsoft has updated Cloud Shell’s backend; no manual patching is required if you accept automatic updates.

Remediation

Microsoft has mitigated CVE-2026-35428 in Azure Cloud Shell’s backend infrastructure. Users do not need to manually install a patch; the update is applied automatically when Cloud Shell starts. However, organizations should:

1. Ensure all users restart their Cloud Shell sessions to receive the patched version.
2. Review any automation scripts or tools that interact with Cloud Shell to ensure they aren’t vulnerable to the same injection class.
3. Monitor for unusual Cloud Shell activity as a secondary precaution.

Security Insight

This vulnerability is notable because it targets a trusted administrative interface—Cloud Shell is commonly used by IT teams for infrastructure management. Spoofing attacks against such tools are particularly dangerous because administrators implicitly trust the shell environment. This incident underscores that even first-party cloud management portals must be hardened against injection, and that user interaction requirements (clicking a malicious link) remain the most common bypass for network-based protections. Organizations should consider Cloud Shell as an attack surface in their cloud security audits, especially for environments handling sensitive tenant data.

Stay current with cloud security updates at security news and refer to breach reports for related incident analysis.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs