Published Thu, Jan 19th, 2023


Multiple Azure Web services use a source control management (SCM) panel powered by Kudu and enabled by default. These services were all susceptible to a CSRF vulnerability due to an overly-permissive regular expression (regex) in a filter for malformed origins. This allowed origin bypass when using a domain name structured as 'victim.scm.azurewebsites.net._.attacker.com' (note the use of '._.', which looks like an emoji). Thus, if a target Azure user were tricked into visiting a specially crafted webpage served by a domain with the above name format, an attacker could exploit this CSRF vulnerability to deploy a zip file containing a malicious payload (such as a webshell) into a target web application (via the /api/zipdeploy endpoint). This could have allowed the attacker to gain remote code execution (RCE) as the 'www' user on the target app, and potentially also lateral movement to other Azure services used by the target organization, depending on what privileges were granted to the app's managed identity.

Affected Services

Azure Function Apps, Azure App Service, Azure Logic Apps


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Wed, Oct 26th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Liv Matan, Ermetic