{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23661", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.463Z", "datePublished": "2026-03-10T17:05:15.813Z", "dateUpdated": "2026-04-14T16:36:34.353Z"}, "containers": {"cna": {"title": "Azure IoT Explorer Information Disclosure Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "0.15.13"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IoT Explorer", "versions": [{"version": "1.0.0", "lessThan": "0.15.13", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en-US", "type": "CWE", "cweId": "CWE-319"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:34.353Z"}, "references": [{"name": "Azure IoT Explorer Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23661"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:40:46.463784Z", "id": "CVE-2026-23661", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:45:16.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23661", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T18:40:46.463784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:40:47.494Z"}}], "cna": {"title": "Azure IoT Explorer Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IoT Explorer", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "0.15.13", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23661", "name": "Azure IoT Explorer Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.15.13", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:34.353Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23661", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:34.353Z", "dateReserved": "2026-01-14T16:59:33.463Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:15.813Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA6401CB-2490-4A38-8F23-363906BAF296", "versionEndExcluding": "0.15.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network."}, {"lang": "es", "value": "Transmisi\u00f3n en texto claro de informaci\u00f3n sensible en Azure IoT Explorer permite a un atacante no autorizado divulgar informaci\u00f3n a trav\u00e9s de una red."}], "id": "CVE-2026-23661", "lastModified": "2026-03-12T19:31:06.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:14.210", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23661"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,0.15.13)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Azure IoT Explorer", "source": "cna", "vendor": "Microsoft"}, "product": "azure_iot_explorer", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:16:58.937718+00:00", "value": {"mitigation_remediation": ["Visit the Microsoft Security Response Center website and download the latest Azure IoT Explorer update that removes the cleartext transmission flaw.", "Apply the update to all affected instances as soon as possible to prevent data disclosure.", "If an immediate update is not feasible, isolate Azure IoT Explorer from untrusted networks or use a VPN/SSL tunnel to encrypt traffic until the patch can be applied."], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected by this vulnerability is Microsoft Azure IoT Explorer. No specific product versions are listed in the CNA data; the vulnerability applies to all versions of Azure IoT Explorer identified by the common platform enumeration cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*.", "description_and_impact": "The vulnerability in Microsoft Azure IoT Explorer allows sensitive information to be transmitted in cleartext, enabling an unauthorized attacker to capture and disclose confidential data. It represents a classic instance of the weakness described by CWE-319, Cleartext Transmission of Sensitive Information, and primarily compromises the confidentiality of the data exchanged by the Explorer application.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.5, indicating a high impact severity. EPSS indicates an exploit probability of less than 1%, suggesting that exploitation is unlikely to occur spontaneously in the near term. The vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be network-based: an attacker capable of intercepting traffic between Azure IoT Explorer and its associated services can read the cleartext data. The risk is significant for environments where sensitive data is transmitted without encryption and where the network may be accessible to untrusted actors."}}}}, "created": "2026-03-11T11:45:27.365898+00:00", "updated": "2026-03-20T14:34:09.775931+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_iot_explorer"]}