Cyber Resilience

CVE-2026-24302

High

Published: 05 February 2026

Published
05 February 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0153 71.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24302 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Azure Arc. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-24302 is an improper access control vulnerability affecting Azure Arc. Published on 2026-02-05, it stems from CWE-284 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no prerequisites, and significant confidentiality impact with a changed scope.

An unauthorized attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) without user interaction (UI:N). Successful exploitation allows the attacker to elevate privileges, enabling high-level confidentiality breaches (C:H) within the expanded scope (S:C).

The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24302.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Explicitly described as an Elevation of Privilege vulnerability enabling privilege escalation, directly mapping to T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24290Same vendor: Microsoft
CVE-2025-24076Same vendor: Microsoft
CVE-2025-21359Same vendor: Microsoft
CVE-2026-21238Same vendor: Microsoft
CVE-2026-40381Same vendor: Microsoft
CVE-2026-24303Same vendor: Microsoft
CVE-2025-24042Same vendor: Microsoft
CVE-2026-23660Same vendor: Microsoft
CVE-2026-20843Same vendor: Microsoft
CVE-2026-40420Same vendor: Microsoft

Affected Assets

microsoft
azure arc
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthorized privilege elevation due to improper access control in Azure Arc.

prevent

Employs least privilege principle to restrict access to only necessary permissions, mitigating privilege escalation by unauthorized network attackers.

prevent

Provides capability for correct access control decisions based on user identity and roles, countering the improper access control vulnerability allowing no-privilege attackers to elevate.

References