Description
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
Published: 2026-04-24
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits exposure of sensitive information in Azure IoT Central, which can then be used by an authorized attacker to elevate privileges over the network. This results in the attacker gaining higher-level permissions, potentially enabling unrestricted access to devices, configuration data, and administrative controls.

Affected Systems

The affected product is Microsoft Azure IoT Central. No specific version information is provided in the advisory, so all current releases are potentially impacted until a patch is applied.

Risk and Exploitability

With a CVSS score of 9.9 the flaw is considered critical. The EPSS score shows a very low probability of exploitation, and it is not listed in the CISA KEV catalog. While the attack vector is not explicitly disclosed, it is inferred that an attacker who already has legitimate access to the Azure IoT Central environment could uncover sensitive data and subsequently exploit it to gain elevated privileges. Organizations should therefore assume the risk exists for privileged accounts and monitor for anomalous privilege changes.

Generated by OpenCVE AI on April 28, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update released by Microsoft for Azure IoT Central.
  • Review and tighten access controls, ensuring that only the minimum necessary privileges are assigned to users and services.
  • Configure monitoring and alerts for abnormal privilege escalation or unauthorized access attempts within the Azure IoT Central environment.

Generated by OpenCVE AI on April 28, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_iot_central:-:*:*:*:*:*:*:*

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
Title Azure IoT Central Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Iot Central
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:azure_iot_central:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Iot Central
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Iot Central
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:39:56.919Z

Reserved: 2025-12-30T18:10:54.845Z

Link: CVE-2026-21515

cve-icon Vulnrichment

Updated: 2026-04-24T13:33:10.772Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T13:16:03.610

Modified: 2026-04-27T19:41:24.863

Link: CVE-2026-21515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses