Cyber Posture

CVE-2026-23664

High

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23664 is a high-severity Improper Restriction of Communication Channel to Intended Endpoints (CWE-923) vulnerability in Microsoft Azure Iot Explorer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-18 Wireless Access
addresses: CWE-923

Authorizing wireless access restricts the wireless communication channel to only intended endpoints.

CA-3 Information Exchange
addresses: CWE-923

Approving specific exchanges and documenting interface characteristics restricts communication channels to only intended endpoints and systems.

PE-4 Access Control for Transmission
addresses: CWE-923

Limits physical connectivity to transmission channels, supporting restriction of communication paths to only intended endpoints.

SA-9 External System Services
addresses: CWE-923

Requiring providers to meet communication-channel restrictions and monitoring adherence reduces improper restriction of channels to intended endpoints.

SC-11 Trusted Path
addresses: CWE-923

Mandates restriction of the channel for authentication to only the intended trusted endpoints, blocking unauthorized communication paths.

SC-19 Voice Over Internet Protocol
addresses: CWE-923

Explicit control of VoIP traffic forces organizations to restrict communication channels to only intended endpoints and protocols.

SC-22 Architecture and Provisioning for Name/Address Resolution Service
addresses: CWE-923

Explicit internal/external separation restricts name-resolution channels to their intended communication endpoints.

SC-40 Wireless Link Protection
addresses: CWE-923

Enforces that the wireless communication channel is usable only by intended endpoints, addressing improper channel restriction.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Remote network info disclosure vuln in Azure IoT Explorer enables exploitation of public-facing apps (T1190) to obtain sensitive data from the system (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

Deeper analysisAI

CVE-2026-23664 is an information disclosure vulnerability in Azure IoT Explorer stemming from improper restriction of communication channel to intended endpoints, mapped to CWE-923. Published on 2026-03-10T18:18:14.523, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.

An unauthorized attacker can exploit this vulnerability remotely over a network with low attack complexity, requiring no privileges or user interaction. Exploitation enables the disclosure of sensitive information via unintended communication channels.

Microsoft's Security Response Center provides an update guide for mitigation at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23664.

Details

CWE(s)
CWE-923

Affected Products

microsoft
azure iot explorer
≤ 0.15.13

CVEs Like This One

CVE-2026-23662Same product: Microsoft Azure Iot Explorer
CVE-2026-26121Same product: Microsoft Azure Iot Explorer
CVE-2026-23661Same product: Microsoft Azure Iot Explorer
CVE-2026-25181Same vendor: Microsoft
CVE-2026-26144Same vendor: Microsoft
CVE-2026-20947Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2025-62549Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft

References