H3-2026-0044¶

Azure Container Registry Task Code Execution

Description¶

Azure Container Registry (ACR) Tasks allow users with Microsoft.ContainerRegistry/registries/tasks/write permissions to create and execute arbitrary containerized workloads within the registry's compute environment. Tasks execute with root privileges in ephemeral containers. If the registry has a managed identity configured, the executing container can access the Azure Instance Metadata Service (IMDS) to obtain access tokens for the registry's identity.

Impact¶

Attackers with task creation permissions can execute arbitrary code as root within ACR containers, enabling reconnaissance, data exfiltration, and pivoting to other systems. If the registry has a managed identity, attackers can retrieve access tokens via IMDS and escalate privileges to the registry's identity, which might have permissions to access Key Vaults, Storage Accounts, and other Azure resources.

References¶

• Azure Container Registry Tasks overview
• Use an Azure-managed identity in ACR Tasks
• MITRE ATT&CK Technique: T1609: Container Administration Command
• MITRE ATT&CK Technique: T1552.005: Cloud Instance Metadata API