{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23664", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.463Z", "datePublished": "2026-03-10T17:04:34.104Z", "dateUpdated": "2026-04-14T16:35:28.776Z"}, "containers": {"cna": {"title": "Azure IoT Explorer Information Disclosure Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "0.15.13"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IoT Explorer", "versions": [{"version": "1.0.0", "lessThan": "0.15.13", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints", "lang": "en-US", "type": "CWE", "cweId": "CWE-923"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:35:28.776Z"}, "references": [{"name": "Azure IoT Explorer Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23664"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:46:18.235377Z", "id": "CVE-2026-23664", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:46:41.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23664", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:46:18.235377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:46:33.716Z"}}], "cna": {"title": "Azure IoT Explorer Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IoT Explorer", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "0.15.13", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23664", "name": "Azure IoT Explorer Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-923", "description": "CWE-923: Improper Restriction of Communication Channel to Intended Endpoints"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.15.13", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:35:28.776Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23664", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:35:28.776Z", "dateReserved": "2026-01-14T16:59:33.463Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:04:34.104Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA6401CB-2490-4A38-8F23-363906BAF296", "versionEndExcluding": "0.15.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network."}, {"lang": "es", "value": "Restricci\u00f3n inadecuada de canal de comunicaci\u00f3n a puntos finales previstos en Azure IoT Explorer permite a un atacante no autorizado divulgar informaci\u00f3n a trav\u00e9s de una red."}], "id": "CVE-2026-23664", "lastModified": "2026-03-12T19:31:49.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:14.523", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23664"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-923"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,0.15.13)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Azure IoT Explorer", "source": "cna", "vendor": "Microsoft"}, "product": "azure_iot_explorer", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:35:31.490900+00:00", "value": {"mitigation_remediation": ["Download and install the latest Azure IoT Explorer update from Microsoft\u2019s patch portal. If a patch is not yet available, restrict network access to the Explorer to trusted hosts only or disable the exposed communication channel until an update is applied."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected users are those who run Microsoft Azure IoT Explorer. The CVE entry does not list specific affected versions or release notes, so any installation of Azure IoT Explorer that has not yet applied the official update may be vulnerable. It is recommended to verify the version against Microsoft\u2019s advisory referenced in the CVE entry.\n", "description_and_impact": "The vulnerability arises from improper restriction of a communication channel to intended endpoints in Azure IoT Explorer. An attacker who can interact with the device over the network could gain unauthorized access to sensitive information without higher privileges. This weakness is classified as CWE-923, which indicates that confidential data may be disclosed to an attacker who should not have access to it. The potential impact is primarily confidentiality loss; there is no indication of denial of service or persistence in the official description.\n", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity vulnerability when exploited. The EPSS score is below 1\u202f%, suggesting that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in CISA\u2019s KEV catalog, so there are no publicly documented exploits to date. Based on the description, the likely attack vector would require network access to the device; an attacker must be able to communicate with the IoT Explorer or the device it manages.\n"}}}}, "created": "2026-03-11T11:46:59.104066+00:00", "updated": "2026-03-20T14:31:46.331668+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_iot_explorer"]}