Description
Improper certificate validation in Azure Local allows an unauthorized attacker to execute code over a network.
Published: 2026-02-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Improper certificate validation in Azure Local enables an unauthorized attacker to execute arbitrary code over the network. This flaw permits remote code execution by accepting invalid or forged certificates, thereby compromising confidentiality, integrity, and availability of the affected service.

Affected Systems

The vendor and product impacted are Microsoft Azure Local. No specific version information is listed in the available data, so all deployments of Azure Local that may not have applied the latest security updates are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity, yet the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not yet listed in the CISA KEV catalog. Attackers would need network access to the Azure Local service and could exploit the weakness by presenting a malformed or self‑signed certificate during TLS negotiation. Because the fault lies in certificate validation, the exposure is generally limited to systems that rely on Azure Local for network communication, but the impact of successful exploitation would be full remote code execution.

Generated by OpenCVE AI on April 15, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Azure Local security update that corrects certificate validation.
  • Configure Azure Local to enforce strict certificate validation and reject any non‑trusted certificates.
  • Limit network exposure of Azure Local to trusted subnets, and monitor for anomalous TLS traffic.

Generated by OpenCVE AI on April 15, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper certificate validation in Azure Local allows an unauthorized attacker to execute code over a network.
Title Azure Local Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Local
Weaknesses CWE-295
CPEs cpe:2.3:a:microsoft:azure_local:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Local
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Local
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:34.747Z

Reserved: 2025-12-11T21:02:05.733Z

Link: CVE-2026-21228

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:36.364Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:23.297

Modified: 2026-02-25T14:20:49.480

Link: CVE-2026-21228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses