Cyber Resilience

CVE-2026-23662

High

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 20.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23662 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft Azure Iot Explorer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-23662 is a missing authentication vulnerability affecting a critical function in Azure IoT Explorer. This flaw, associated with CWE-306 (Missing Authentication for Critical Function) and CWE-319 (Cleartext Transmission of Sensitive Information), enables unauthorized information disclosure over a network. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

An unauthorized attacker can exploit this vulnerability remotely without authentication by accessing the unprotected critical function in Azure IoT Explorer. Successful exploitation results in high-impact confidentiality loss, allowing the attacker to disclose sensitive information transmitted in cleartext over the network, while integrity and availability remain unaffected.

Microsoft's security response center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23662 details recommended mitigations and available patches for addressing this vulnerability in Azure IoT Explorer. Security practitioners should consult this guide for deployment instructions and verify system updates.

EU & UK References

Vulnerability details

Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication (CWE-306) for a remotely accessible critical function in Azure IoT Explorer directly enables unauthenticated exploitation of a public-facing application, resulting in sensitive information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26121Same product: Microsoft Azure Iot Explorer
CVE-2026-23661Same product: Microsoft Azure Iot Explorer
CVE-2026-23664Same product: Microsoft Azure Iot Explorer
CVE-2025-21355Same vendor: Microsoft
CVE-2025-65037Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft
CVE-2025-50165Same vendor: Microsoft
CVE-2025-21348Same vendor: Microsoft
CVE-2026-26114Same vendor: Microsoft
CVE-2025-21344Same vendor: Microsoft

Affected Assets

microsoft
azure iot explorer
≤ 0.15.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and restriction of actions permitted without authentication, preventing unauthorized access to critical functions like in this CVE.

prevent

Mandates protections for publicly accessible interfaces without authentication, addressing network-accessible critical functions that disclose information.

prevent

Enforces confidentiality and integrity for network transmissions, mitigating cleartext disclosure of sensitive information even if accessed unauthorized.

References