Cyber Resilience

CVE-2026-26121

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 43.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26121 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Azure Iot Explorer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26121 is a server-side request forgery (SSRF) vulnerability affecting Azure IoT Explorer. It stems from improper input validation (CWE-20) and SSRF (CWE-918), enabling an unauthorized attacker to perform spoofing over a network. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact with no privileges required.

An unauthorized attacker can exploit this vulnerability remotely over the network without user interaction. By inducing SSRF, the attacker can spoof network requests, potentially leading to unauthorized access to internal resources or services, as reflected in the high confidentiality impact score.

The Microsoft Security Response Center (MSRC) provides an update guide detailing mitigation and patch information for CVE-2026-26121 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26121. Security practitioners should consult this advisory for specific remediation steps.

EU & UK References

Vulnerability details

Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability with network attack vector (AV:N), no auth required, directly enables remote exploitation of a public-facing or network-accessible application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23662Same product: Microsoft Azure Iot Explorer
CVE-2026-23664Same product: Microsoft Azure Iot Explorer
CVE-2026-23661Same product: Microsoft Azure Iot Explorer
CVE-2025-21344Same vendor: Microsoft
CVE-2026-35431Same vendor: Microsoft
CVE-2026-26139Same vendor: Microsoft
CVE-2026-26106Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2026-26120Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft

Affected Assets

microsoft
azure iot explorer
≤ 0.15.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF in Azure IoT Explorer by enforcing validation of user inputs used to construct network requests, addressing the root cause of improper input validation (CWE-20).

prevent

Provides timely flaw remediation through identification, reporting, and patching of the specific SSRF vulnerability as detailed in the MSRC update guide.

preventdetect

Restricts and monitors communications at system boundaries to block or alert on unauthorized outbound requests and spoofing enabled by SSRF.

References