CVE-2026-23662
Published: 10 March 2026
Summary
CVE-2026-23662 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft Azure Iot Explorer. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2026-23662 is a missing authentication vulnerability affecting a critical function in Azure IoT Explorer. This flaw, associated with CWE-306 (Missing Authentication for Critical Function) and CWE-319 (Cleartext Transmission of Sensitive Information), enables unauthorized information disclosure over a network. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.
An unauthorized attacker can exploit this vulnerability remotely without authentication by accessing the unprotected critical function in Azure IoT Explorer. Successful exploitation results in high-impact confidentiality loss, allowing the attacker to disclose sensitive information transmitted in cleartext over the network, while integrity and availability remain unaffected.
Microsoft's security response center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23662 details recommended mitigations and available patches for addressing this vulnerability in Azure IoT Explorer. Security practitioners should consult this guide for deployment instructions and verify system updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10584
Vulnerability details
Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication (CWE-306) for a remotely accessible critical function in Azure IoT Explorer directly enables unauthenticated exploitation of a public-facing application, resulting in sensitive information disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification and restriction of actions permitted without authentication, preventing unauthorized access to critical functions like in this CVE.
Mandates protections for publicly accessible interfaces without authentication, addressing network-accessible critical functions that disclose information.
Enforces confidentiality and integrity for network transmissions, mitigating cleartext disclosure of sensitive information even if accessed unauthorized.