Azure Cloud Shell access token theft

Published Tue, Sep 20th, 2022


An issue in Azure Cloud Shell could have allowed an attacker to take over an Azure App Service domain and leverage it to inject and execute commands in other tenants' terminals if they navigated to the domain while logged into their account. Using this method, an attacker could query the Azure IMDS on other tenants' behalf and thereby obtain their access tokens.

Affected Services

Cloud Shell


None required.

Tracked CVEs

No tracked CVEs


Disclosure Date
Sat, Aug 20th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Discovered by
Gafnit Amiga, Lightspin