Remote code execution (RCE) flaws allow attackers to submit commands to the vulnerable software and they will be executed with the privileges associated with the application—which typically have high permissions. A new, critical RCE vulnerability was recently discovered that impacts multiple Microsoft Azure-related services.
Liv Matan, an Ermetic researcher, explained that, "The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu…By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application."
