{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26121", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.911Z", "datePublished": "2026-03-10T17:05:06.735Z", "dateUpdated": "2026-04-14T16:36:10.819Z"}, "containers": {"cna": {"title": "Azure IOT Explorer Spoofing Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "0.15.14"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IoT Explorer", "versions": [{"version": "1.0.0", "lessThan": "0.15.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}, {"description": "CWE-20: Improper Input Validation", "lang": "en-US", "type": "CWE", "cweId": "CWE-20"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:10.819Z"}, "references": [{"name": "Azure IOT Explorer Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26121"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:54:04.381642Z", "id": "CVE-2026-26121", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:54:22.319Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26121", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:54:04.381642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:54:15.305Z"}}], "cna": {"title": "Azure IOT Explorer Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure IoT Explorer", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "0.15.14", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26121", "name": "Azure IOT Explorer Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}, {"lang": "en-US", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.15.14", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:10.819Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26121", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:10.819Z", "dateReserved": "2026-02-11T15:52:13.911Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:06.735Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9DB4753-509E-45D4-8DC8-1DA5DD146DA7", "versionEndExcluding": "0.15.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network."}, {"lang": "es", "value": "Falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Azure IoT Explorer permite a un atacante no autorizado realizar suplantaci\u00f3n a trav\u00e9s de una red."}], "id": "CVE-2026-26121", "lastModified": "2026-03-13T19:57:51.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:41.347", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26121"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,0.15.14)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Azure IoT Explorer", "source": "cna", "vendor": "Microsoft"}, "product": "azure_iot_explorer", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:19:56.941646+00:00", "value": {"mitigation_remediation": ["Check for and install any available Microsoft updates or security advisories for Azure IoT Explorer.", "Restrict the IaC or network permissions to limit Azure IoT Explorer\u2019s ability to initiate outbound requests to only the required endpoints.", "Disable or limit any unused or untrusted features of Azure IoT Explorer that may facilitate SSRF.", "Monitor outbound traffic logs from Azure IoT Explorer for suspicious requests."], "summary": {"action": "Assess Impact", "impact": "Spoofing via SSRF"}, "threat_synthesis": {"affected_systems": "The affected product is Microsoft Azure IoT Explorer. Specific product versions impacted are not enumerated in the available data; only the product name is identified.", "description_and_impact": "The vulnerability is a server\u2011side request forgery (SSRF) in Microsoft Azure IoT Explorer that enables an unauthorized attacker to cause the server to send arbitrary requests over the network, effectively spoofing internal services. The craft of the exploit relies on improper input validation (CWE\u201120) and the SSRF weakness (CWE\u2011918). Attackers could thereby cause the IoT Explorer to request resources that appear legitimate, potentially leading to impersonation or other unauthorized network actions.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, while the EPSS score below 1% suggests a currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an SSRF enabled by an unauthorized attacker interacting with the IoT Explorer interface, but the exact conditions or required credentials are not detailed in the input. The exploitation path would involve sending a crafted request that the explorer validates poorly, leading it to forward the request to an arbitrary network destination, enabling spoofing of services inside the network."}}}}, "created": "2026-03-11T11:45:43.839867+00:00", "updated": "2026-03-20T14:34:19.543631+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_iot_explorer"]}