{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24300", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-21T21:28:02.969Z", "datePublished": "2026-02-05T22:13:25.676Z", "dateUpdated": "2026-05-11T21:25:26.218Z"}, "containers": {"cna": {"title": "Azure Front Door Elevation of Privilege Vulnerability", "datePublic": "2026-02-05T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_front_door:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Front Door", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Azure Front Door Elevation of Privilege Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-284: Improper Access Control", "lang": "en-US", "type": "CWE", "cweId": "CWE-284"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:26.218Z"}, "references": [{"name": "Azure Front Door Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24300"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-07T04:55:18.475792Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:16.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-07T04:55:18.475792Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T13:41:47.197Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure Front Door Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Front Door", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-02-05T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24300", "name": "Azure Front Door Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Azure Front Door Elevation of Privilege Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_front_door:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T18:10:06.932Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24300", "state": "PUBLISHED", "dateUpdated": "2026-05-11T18:10:06.932Z", "dateReserved": "2026-01-21T21:28:02.969Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-05T22:13:25.676Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_front_door:-:*:*:*:*:*:*:*", "matchCriteriaId": "F66AE777-ECFA-4FD1-A6B5-AD9E8181020A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Azure Front Door Elevation of Privilege Vulnerability"}], "id": "CVE-2026-24300", "lastModified": "2026-02-12T19:02:39.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-02-05T23:15:54.490", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24300"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T16:38:33.472098+00:00", "value": {"mitigation_remediation": ["Update Azure Front Door to the latest version as advised by Microsoft.", "Apply RBAC to restrict management permissions and enable multi\u2011factor authentication for privileged accounts.", "Enable and monitor Azure Activity Logs for changes to Front Door configurations, and set alerting for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Microsoft Azure Front Door, a cloud\u2011based load\u2011balancing and routing service. No specific versions are listed; Microsoft\u2019s advisory does not enumerate affected releases.", "description_and_impact": "Azure Front Door includes an elevation of privilege flaw that permits an attacker to acquire higher-than\u2011intended access to the service. The weakness arises from improper access control within the Azure Front Door management interface, allowing operations that modify routing rules, security policies, or other configuration settings. If successful, an attacker could compromise confidentiality by redirecting traffic, alter integrity by injecting malicious payloads or creating unauthorized endpoints, and disrupt availability by misconfiguring health probes or rate limiting. The threat is classified under CWE\u2011284, which denotes authorization weaknesses. Based on the description, the attack may require legitimate credentials that have been granted higher privileges than intended or exploited through an existing misconfiguration.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% suggests a very low, but non\u2011zero likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would almost certainly approach the flaw remotely through web or API requests to Azure Front Door\u2019s management endpoints, possibly leveraging compromised credentials or misconfigured roles. Successful exploitation would grant escalated privileges within the service, enabling a range of disruptive or data\u2011exfiltrative actions."}}}}, "created": "2026-04-15T18:00:15.516635+00:00", "updated": "2026-04-15T18:00:15.516647+00:00", "vendors": []}