Microsoft Azure CLI MCP Zero-Day Command Injection Flaw Disclosed as Unpatched 0Day
The Zero Day Initiative has published a critical 0-day advisory for an unauthenticated command injection vulnerability in Microsoft Azure's azure-cli-mcp component, after Microsoft rated the flaw as Moderate and failed to patch it within the disclosure window.
On March 24, 2026, the Zero Day Initiative (ZDI) released advisory ZDI-26-226, disclosing a critical 0-day command injection vulnerability in Microsoft Azure's azure-cli-mcp component (AzureCliService). The flaw, tracked as ZDI-CAN-28042 with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code on the MCP server. The vulnerability stems from improper validation of user-supplied strings before they are used in system calls, enabling an attacker to inject and execute arbitrary commands.
The affected component, azure-cli-mcp, is part of the Azure CLI's Model Context Protocol (MCP) integration, which provides AI-assisted command-line interactions. Because the vulnerability requires no authentication and can be exploited over the network, it poses a severe risk to any Azure environment where the MCP server is exposed. An attacker who successfully exploits this flaw could gain full control of the MCP server, potentially pivoting to other Azure resources.
ZDI reported the vulnerability to Microsoft on September 10, 2025, and Microsoft acknowledged the report the same day. However, on October 24, 2025, Microsoft rated the severity of the vulnerability as "Moderate," a classification ZDI apparently disagreed with given the CVSS 9.8 score. After Microsoft failed to release a patch, ZDI notified the vendor on March 9, 2026, of its intention to publish the case as a 0-day advisory, which it did on March 24, 2026.
The disclosure timeline shows that ZDI submitted the report on September 10, 2025, and the coordinated public release occurred on March 24, 2026, with an advisory update on April 21, 2026. The vulnerability was discovered and reported by Alfredo Oliveira and David Fiser of Trend Research. ZDI's advisory notes that the only salient mitigation strategy is to restrict interaction with the product, effectively urging administrators to limit network exposure of the Azure CLI MCP service until a patch is available.
This incident highlights a growing tension between vendors and security researchers over vulnerability severity ratings and patch timelines. Microsoft's decision to classify a 9.8 CVSS vulnerability as "Moderate" and then not patch it within the standard 120-day disclosure window has led to the public release of exploit details, putting Azure customers at risk. The lack of a CVE ID assignment further complicates tracking and remediation efforts.
Azure administrators should immediately review their deployment of the azure-cli-mcp component, restrict network access to the MCP server, and monitor for any signs of exploitation. Given the 0-day status and the availability of technical details in the ZDI advisory, attackers are likely to develop and deploy exploits rapidly. Microsoft has not yet issued a public statement or patch, leaving customers in a reactive posture.