Description
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
Published: 2026-05-22
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in Azure Virtual Network Gateway, identified as a CWE‑20 flaw, allows an authorized attacker to execute code over a network, providing full remote code execution on the gateway device. This can compromise confidentiality, integrity, and availability of all traffic passing through the gateway.

Affected Systems

Microsoft Azure Virtual Network Gateway is affected. No specific version information was provided, but the vulnerability applies to all currently deployed instances of the product at the time of the advisory.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity and the vulnerability is exploitable by an attacker with valid credentials who can reach the gateway over the network. The EPSS score of < 1% indicates a very low probability of exploitation, but the high severity warrants immediate attention; the vulnerability is not listed in CISA KEV, suggesting no publicly known exploitation yet. The flaw stems from CWE‑20 improper input validation and can be exploited by crafting malformed packets that trigger arbitrary code execution. An attacker would need network connectivity to the gateway and must be authenticated or have privileged access to send malicious input.

Generated by OpenCVE AI on May 27, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the official Microsoft update for Azure Virtual Network Gateway as described in the Microsoft Security Response Center advisory.
  • Restrict inbound traffic to the gateway to only trusted IPs and enforce least privilege access controls to reduce the attack surface.
  • Continuously monitor gateway logs and network traffic for anomalous activity that may indicate an attempt to leverage input validation weaknesses or unauthorized command execution.

Generated by OpenCVE AI on May 27, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:azure_virtual_network_gateway:-:*:*:*:*:*:*:*

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
Title Azure Virtual Network Gateway Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Virtual Network Gateway
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:azure_virtual_network_gateway:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Virtual Network Gateway
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Virtual Network Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:32:25.126Z

Reserved: 2026-04-13T00:27:50.798Z

Link: CVE-2026-40411

cve-icon Vulnrichment

Updated: 2026-05-26T10:55:53.828Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-22T23:16:51.220

Modified: 2026-05-27T16:47:30.840

Link: CVE-2026-40411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:45:44Z

Weaknesses