Token Security — Azure MCP RCE vulnerability enables cloud takeover

AI relevance: Azure MCP servers enable AI agents to interact with cloud environments using natural language, but unauthenticated RCE vulnerabilities allow malicious actors to compromise the AI infrastructure itself and gain unauthorized access to sensitive cloud resources.

• Token Security researchers discovered a Remote Code Execution vulnerability in the official Azure MCP server presented at RSA Conference 2026.
• The vulnerability enables unauthenticated attackers with network access to compromise MCP servers and establish footholds in production environments.
• Attackers can steal Entra ID credentials used by the MCP server, compromising the Azure and Entra ID tenant of victim organizations.
• The vulnerability resides in the azmcp-extension-az tool that executes Azure CLI commands on the server machine.
• Attackers can abuse the az storage blob download command to write malicious files to startup script locations like ~/.bashrc or Windows startup folders.
• The exploit allows complete control over Azure CLI arguments, enabling file upload primitives that lead to RCE.
• Azure MCP servers lacked both authentication and authorization, allowing any client to inherit the server's Azure permissions.
• Microsoft has removed the vulnerable SSE transport type and deprecated the azmcp-extension-az tool.
• The latest Azure MCP server version now requires authentication and implements Entra ID On-Behalf-Of flow for proper authorization.

Why it matters

As organizations deploy AI agents with MCP servers to manage cloud infrastructure, unauthenticated RCE vulnerabilities create massive attack surfaces. Malicious actors can compromise AI infrastructure to steal cloud credentials, gain persistent access, and potentially manipulate AI agent responses to conduct sophisticated attacks like data corruption or prompt injection.

What to do

• Update immediately — Upgrade to the latest Azure MCP server version with authentication and authorization fixes
• Implement network segmentation — Restrict MCP server network access to authorized clients only
• Use least privilege — Ensure MCP service accounts have minimal necessary Azure permissions
• Monitor MCP server activity — Implement logging and alerting for unusual MCP tool usage patterns
• Regular security assessments — Conduct penetration testing of AI infrastructure components including MCP servers

Sources

• Token Security — MCPwned: Azure MCP RCE vulnerability leads to cloud takeover
• Token Security — RSA Conference 2026: A Defining Moment for Token Security
• Azure MCP GitHub Repository
• Microsoft — Azure MCP Server Tools Documentation