Cyber Resilience

CVE-2026-21515

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0070 48.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21515 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Microsoft Azure Iot Central. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21515, published on 2026-04-24, is a critical vulnerability (CVSS 9.9; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) in Azure IoT Central that involves the exposure of sensitive information to an unauthorized actor (CWE-200). This flaw enables an authorized attacker to elevate privileges over a network.

An attacker with low privileges (PR:L) can exploit the vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), with a scope change (S:C) that facilitates privilege escalation.

Microsoft's update guide provides details on mitigation and patches for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21515.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability explicitly enables privilege escalation (PR:L to high impact) via exploitation of a software flaw in Azure IoT Central, directly mapping to T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20853Same vendor: Microsoft
CVE-2026-40379Same vendor: Microsoft
CVE-2026-20877Same vendor: Microsoft
CVE-2026-23659Same vendor: Microsoft
CVE-2026-20860Same vendor: Microsoft
CVE-2026-24294Same vendor: Microsoft
CVE-2025-21418Same vendor: Microsoft
CVE-2026-24290Same vendor: Microsoft
CVE-2026-41615Same vendor: Microsoft
CVE-2026-40417Same vendor: Microsoft

Affected Assets

microsoft
azure iot central
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws such as the sensitive information exposure in Azure IoT Central that enables privilege escalation.

prevent

Enforces approved authorizations for logical access to sensitive information, preventing unauthorized exposure over the network.

prevent

Limits privileges to the minimum necessary, reducing the impact of privilege escalation resulting from the sensitive information exposure.

References