Azure Cloud Shell Critical Command Injection: CVE-2026-35428 Allows Spoofing
The National Vulnerability Database has disclosed CVE-2026-35428, a critical command injection vulnerability in Azure Cloud Shell. This flaw, rated with a CVSS score of 9.6, allows an unauthenticated attacker to execute arbitrary commands, leading to spoofing over a network. The root cause is improper neutralization of special elements in a command, categorized as CWE-77.
This isn’t a theoretical issue; command injection in cloud environments can rapidly escalate. An attacker exploiting this could manipulate the Cloud Shell’s execution context, potentially gaining unauthorized access, altering configurations, or deploying malicious scripts. The high CVSS score reflects the network-exploitable nature and complete compromise of confidentiality, integrity, and availability.
While the National Vulnerability Database did not specify affected products beyond “Azure Cloud Shell,” defenders should assume any instance of Azure Cloud Shell is at risk until specific guidance or patches are released. This is a direct threat to the integrity of cloud management interfaces.
What This Means For You
- If your organization utilizes Azure Cloud Shell, immediately monitor for any suspicious activity or unauthorized command executions. Prepare to apply patches for CVE-2026-35428 as soon as Microsoft releases them. This vulnerability can lead to critical compromise of your cloud environment's control plane.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-35428 - Azure Cloud Shell Command Injection
title: CVE-2026-35428 - Azure Cloud Shell Command Injection
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
Detects the execution of Azure CLI commands within Azure Cloud Shell that are commonly abused in command injection attacks, specifically targeting CVE-2026-35428. This rule looks for specific Azure CLI commands that, when combined with crafted input due to the vulnerability, can lead to unauthorized actions and spoofing.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-35428/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
CommandLine|contains:
- 'az storage blob upload'
- 'az vm create'
- 'az aks create'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35428 | Command Injection | Azure Cloud Shell |
| CVE-2026-35428 | Spoofing | Improper neutralization of special elements used in a command |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...