{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21515", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.845Z", "datePublished": "2026-04-24T12:51:34.265Z", "dateUpdated": "2026-05-12T17:39:56.919Z"}, "containers": {"cna": {"title": "Azure IoT Central Elevation of Privilege Vulnerability", "datePublic": "2026-04-23T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_iot_central:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IOT Central", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en-US", "type": "CWE", "cweId": "CWE-200"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:56.919Z"}, "references": [{"name": "Azure IoT Central Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21515"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-21515"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T03:55:29.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T13:33:07.911994Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:33:10.772Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure IoT Central Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IOT Central", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-04-23T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21515", "name": "Azure IoT Central Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_central:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:56.919Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21515", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:39:56.919Z", "dateReserved": "2025-12-30T18:10:54.845Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-24T12:51:34.265Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_central:-:*:*:*:*:*:*:*", "matchCriteriaId": "D625FE00-39AD-402B-B371-F479F7236AF2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network."}], "id": "CVE-2026-21515", "lastModified": "2026-04-27T19:41:24.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-04-24T13:16:03.610", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21515"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Azure IOT Central", "source": "cna", "vendor": "Microsoft"}, "product": "azure_iot_central", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-28T06:51:41.747887+00:00", "value": {"mitigation_remediation": ["Apply the latest security update released by Microsoft for Azure IoT Central.", "Review and tighten access controls, ensuring that only the minimum necessary privileges are assigned to users and services.", "Configure monitoring and alerts for abnormal privilege escalation or unauthorized access attempts within the Azure IoT Central environment."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Microsoft Azure IoT Central. No specific version information is provided in the advisory, so all current releases are potentially impacted until a patch is applied.", "description_and_impact": "The vulnerability permits exposure of sensitive information in Azure IoT Central, which can then be used by an authorized attacker to elevate privileges over the network. This results in the attacker gaining higher-level permissions, potentially enabling unrestricted access to devices, configuration data, and administrative controls.", "risk_and_exploitability": "With a CVSS score of 9.9 the flaw is considered critical. The EPSS score shows a very low probability of exploitation, and it is not listed in the CISA KEV catalog. While the attack vector is not explicitly disclosed, it is inferred that an attacker who already has legitimate access to the Azure IoT Central environment could uncover sensitive data and subsequently exploit it to gain elevated privileges. Organizations should therefore assume the risk exists for privileged accounts and monitor for anomalous privilege changes."}}}}, "created": "2026-04-27T19:15:11.630963+00:00", "updated": "2026-04-28T07:00:09.511544+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_iot_central"]}