RCE vulnerability in Azure Pipelines

Published Thu, Mar 30th, 2023


Legit Security found an RCE vulnerability in Azure Pipelines that could have allowed an attacker to gain complete control of variables and tasks by exploiting logging commands. This would have enabled them to execute malicious code in a context of a pipeline workflow, which would have granted them access to sensitive secrets such as cloud deployment keys, move laterally in the organization, and potentially initiate supply chain attacks. To exploit this vulnerability, an attacker would have needed permissions to create a pull request or push a commit in a repo integrated with Pipelines.

Affected Services

Azure Pipelines, Azure DevOps Services, Azure DevOps Server


None required

Tracked CVEs



Disclosure Date
Mon, Sep 5th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Nadav Noy, Legit Security