Description
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
Published: 2026-05-22
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network, providing full remote code execution on the gateway device. This can compromise confidentiality, integrity, and availability of all traffic passing through the gateway.

Affected Systems

Microsoft Azure Virtual Network Gateway is affected. No specific version information was provided, but the vulnerability applies to all currently deployed instances of the product at the time of the advisory.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity and the vulnerability is exploitable by an attacker with valid credentials who can reach the gateway over the network. The lack of an EPSS score and absence from CISA KEV suggests no publicly known exploitation yet, but the high Severity warrants immediate attention. The flaw stems from CWE-20 improper input validation and can be exploited by crafting malformed packets that trigger arbitrary code execution. An attacker would need network connectivity to the gateway and must be authenticated or have privileged access to send malicious input.

Generated by OpenCVE AI on May 22, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the official Microsoft update for Azure Virtual Network Gateway as described in the Microsoft Security Response Center advisory.
  • Restrict inbound traffic to the gateway to only trusted IPs and enforce least privilege access controls to reduce the attack surface.
  • Continuously monitor gateway logs and network traffic for anomalous activity that may indicate an attempt to leverage input validation weaknesses or unauthorized command execution.

Generated by OpenCVE AI on May 22, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
Title Azure Virtual Network Gateway Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Virtual Network Gateway
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:azure_virtual_network_gateway:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Virtual Network Gateway
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Virtual Network Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-22T22:03:06.684Z

Reserved: 2026-04-13T00:27:50.798Z

Link: CVE-2026-40411

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T23:30:03Z

Weaknesses