Description
External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Azure Stack Edge devices are vulnerable to remote code execution when an attacker can supply an unauthorized file name or path. The flaw allows the attacker to control the file placed on the device, leading to execution of arbitrary code over the network. The weakness is a classic example of external control of a filename or path, and is classified as CWE‑73, indicating insufficient validation of user-controlled input.

Affected Systems

The vulnerability affects Microsoft Azure Stack Edge devices, but no specific firmware or software versions were provided in the advisories. All deployments using Azure Stack Edge should be examined for the presence of the unpatched code path that allows uncontrolled file naming.

Risk and Exploitability

The CVSS score for this vulnerability is 9.8, indicating a critical level of severity. The EPSS score is not available, so the current risk of exploitation is unknown from that metric. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote over the network: an unauthenticated attacker that can reach the Azure Stack Edge device’s management or file upload interfaces may supply a malicious path to trigger code execution. No authentication requirement is specified, implying that the flaw could be abused by outsiders with network access to the device.

Generated by OpenCVE AI on June 9, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft‑issued firmware update that addresses the unvalidated file path issue for Azure Stack Edge devices
  • Restrict external access to the device’s management and file upload services by configuring firewall rules or IP whitelisting
  • Enable audit logging for file operations and monitor logs for abnormal or suspicious file name or path usage

Generated by OpenCVE AI on June 9, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
Title Azure Stack Edge Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Stack Edge
Weaknesses CWE-73
CPEs cpe:2.3:a:microsoft:azure_stack_edge:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Stack Edge
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Stack Edge
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T14:11:13.198Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47643

cve-icon Vulnrichment

Updated: 2026-06-10T14:11:00.603Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:36.270

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:45:05Z

Weaknesses