Description
Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-03-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing via SSRF
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a server‑side request forgery (SSRF) in Microsoft Azure IoT Explorer that enables an unauthorized attacker to cause the server to send arbitrary requests over the network, effectively spoofing internal services. The craft of the exploit relies on improper input validation (CWE‑20) and the SSRF weakness (CWE‑918). Attackers could thereby cause the IoT Explorer to request resources that appear legitimate, potentially leading to impersonation or other unauthorized network actions.

Affected Systems

The affected product is Microsoft Azure IoT Explorer. Specific product versions impacted are not enumerated in the available data; only the product name is identified.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score below 1% suggests a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an SSRF enabled by an unauthorized attacker interacting with the IoT Explorer interface, but the exact conditions or required credentials are not detailed in the input. The exploitation path would involve sending a crafted request that the explorer validates poorly, leading it to forward the request to an arbitrary network destination, enabling spoofing of services inside the network.

Generated by OpenCVE AI on March 16, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any available Microsoft updates or security advisories for Azure IoT Explorer.
  • Restrict the IaC or network permissions to limit Azure IoT Explorer’s ability to initiate outbound requests to only the required endpoints.
  • Disable or limit any unused or untrusted features of Azure IoT Explorer that may facilitate SSRF.
  • Monitor outbound traffic logs from Azure IoT Explorer for suspicious requests.

Generated by OpenCVE AI on March 16, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network.
Title Azure IOT Explorer Spoofing Vulnerability
First Time appeared Microsoft
Microsoft azure Iot Explorer
Weaknesses CWE-20
CWE-918
CPEs cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Iot Explorer
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Iot Explorer
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:32:56.852Z

Reserved: 2026-02-11T15:52:13.911Z

Link: CVE-2026-26121

cve-icon Vulnrichment

Updated: 2026-03-11T14:54:15.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:41.347

Modified: 2026-03-13T19:57:51.093

Link: CVE-2026-26121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:19Z

Weaknesses