The vulnerability is a flaw in the deserialization of untrusted data within Microsoft Planetary Computer Pro, specifically the GeoCatalog component. By sending crafted serialized objects to the service, an attacker can trigger code that leaks sensitive information. The weakness is a classic insecure deserialization issue classified as CWE‑502, and because the compromised data is transmitted over a network it directly leads to exposure of confidential information to an unauthorized party.

Microsoft Planetary Computer Pro (GeoCatalog) is the affected product. No specific version ranges are provided in the CNA data, so all installations of this product that include the vulnerable deserialization logic are considered at risk until an update is applied.

The CVSS score of 10 marks this as critical, indicating a potentially complete compromise of data confidentiality. The EPSS score is not available, which means the current probability of exploitation is unknown, but the lack of listing in the CISA KEV catalog does not diminish the risk posed by a high‑severity flaw. Attackers can deliver malicious payloads over a network to trigger the vulnerability, so the attack vector is inferred to be remote network‑based exploitation.