Public story · 2026-03-18 · source-backed
MCPwned: Azure MCP Server to Full Tenant Takeover.
Story
Token Security researcher Ariel Simon will demo a full attack chain at RSAC 2026 — from an RCE flaw in Microsoft's Azure MCP server to credential harvesting and complete Azure tenant compromise. The research extends beyond the patched CVE-2026-26118 by demonstrating post-exploit escalation paths the original advisory didn't surface. Yahoo Finance
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic / What happened next
MCPwned: Azure MCP SSRF Chain Leads to Full Tenant Credential Takeover.
Both cover Ariel Simon, Azure, Azure MCP, CVE; cite the same source (Yahoo Finance); overlapping topics (ariel, azure, chain, credential, cve-2026-26118).
Shared entities / Shared topic / What happened next / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover Azure, Azure MCP, CVE, MCPwned; overlapping topics (azure, chain, compromise, full, server); picks up the Azure thread on 2026-03-23.
Shared entities / Shared topic / Earlier coverage
MCPwned: 30 CVEs in 60 Days.
Both cover Azure MCP, MCPwned, Microsoft, RCE; overlapping topics (azure, chain, server); earlier Azure MCP coverage from 2026-03-17.
Shared entities / Same source / Shared topic
CrowdStrike Names the Three Ways Your MCP Server Will Get Owned
Both cover Azure, Microsoft, RCE, RSAC; cite the same source (Yahoo Finance); overlapping topics (attack, chain, server).
Shared entities / Shared topic / What happened next
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover Azure, CVE, RSAC; overlapping topics (attack, chain, compromise, credential, didn); picks up the Azure thread on 2026-03-28.
Shared entities / Shared topic / Earlier coverage
Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth
Both cover CVE, Microsoft, RCE; overlapping topics (attack, chain, credential, server); earlier CVE coverage from 2026-02-22.
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover CVE, Microsoft, RCE; overlapping topics (attack, chain); earlier CVE coverage from 2026-03-05.
Shared entities / Shared topic / What happened next / Tension
Self-replicating "Miasma" malware hit 70+ Microsoft open-source repos, stealing credentials the instant a repo opens in an AI tool.
Both cover Azure, Microsoft; overlapping topics (attack, credential); picks up the Azure thread on 2026-06-09.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — March 18, 2026
- AI generated
- no
- Story unit
- 2026-03-18-mcpwned-azure-mcp-server-to-full-tenant-takeover
- Labels
- source-backed, canonical briefing excerpt