CVE-2026-21515
Published: 24 April 2026
Description
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of flaws such as the sensitive information exposure in Azure IoT Central that enables privilege escalation.
Enforces approved authorizations for logical access to sensitive information, preventing unauthorized exposure over the network.
Limits privileges to the minimum necessary, reducing the impact of privilege escalation resulting from the sensitive information exposure.
Security SummaryAI
CVE-2026-21515, published on 2026-04-24, is a critical vulnerability (CVSS 9.9; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) in Azure IoT Central that involves the exposure of sensitive information to an unauthorized actor (CWE-200). This flaw enables an authorized attacker to elevate privileges over a network.
An attacker with low privileges (PR:L) can exploit the vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), with a scope change (S:C) that facilitates privilege escalation.
Microsoft's update guide provides details on mitigation and patches for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21515.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability explicitly enables privilege escalation (PR:L to high impact) via exploitation of a software flaw in Azure IoT Central, directly mapping to T1068: Exploitation for Privilege Escalation.