What is the CVSS score of CVE-2026-24304?

CVE-2026-24304 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Azure are affected by CVE-2026-24304?

A critical privilege escalation vulnerability in Azure Resource Manager (CVE-2026-24304) allows authenticated attackers to gain unauthorized administrative access across cloud infrastructure.. A patch is available.

How to fix or mitigate CVE-2026-24304?

Within 24 hours: Inventory all Azure Resource Manager deployments and document users with elevated permissions; activate enhanced logging and monitoring for ARM API calls and privilege escalation attempts. Within 7 days: Implement network-level access controls restricting ARM access to known IP ranges; conduct privilege access reviews and revoke unnecessary permissions; establish incident response protocols for potential exploitation. Within 30 days: Deploy compensating controls listed below; coordinate with Microsoft for patching timeline; conduct tabletop exercises simulating privilege escalation scenarios.

Azure CVE-2026-24304

CRITICAL

Improper Access Control (CWE-284)

2026-01-23 secure@microsoft.com

Azure Azure Resource Manager

9.9

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 23, 2026 - 02:15 nvd

CRITICAL 9.9

DescriptionCVE.org

Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Azure Resource Manager has a CVSS 9.9 access control vulnerability allowing authorized users to escalate privileges across Azure subscriptions and resource groups.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with valid Azure credentials

Delivery

Access Resource Manager API endpoints

Exploit

Exploit improper access control logic

Execution

Escalate privileges to higher-scoped resources

Impact

Gain unauthorized control over subscriptions or tenants

Access

Authenticate with valid Azure credentials

Delivery

Access Resource Manager API endpoints

Exploit

Exploit improper access control logic

Execution

Escalate privileges to higher-scoped resources

Impact

Gain unauthorized control over subscriptions or tenants

Vulnerability AssessmentAI

Exploitation	Valid Azure account credentials required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.9 — ARM is the deployment and management layer for all Azure resources. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with limited Azure access exploits the ARM access control flaw to deploy resources, modify configurations, or access data in subscriptions they shouldn't have access to, potentially compromising production environments.
Remediation	Apply Microsoft patches. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Azure Resource Manager deployments and document users with elevated permissions; activate enhanced logging and monitoring for ARM API calls and privilege escalation attempts. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24304 vulnerability details – vuln.today

Back

Azure CVE-2026-24304

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code