Azure CLI code injection vulnerability

Published Tue, Oct 25th, 2022


Azure CLI contained a code injection vulnerability that could be exploited in a scenario where the host runs a command where parameter values have been provided by an external untrusted source - these could be specially crafted in such a way as to exploit the vulnerability, leading to remote code execution on the host. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols.

Affected Services

Azure CLI


Upgrade to Azure CLI 2.40.0 or greater.

Tracked CVEs

No tracked CVEs


Disclosure Date
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by