Skip to main content

Azure Orbital Spatio CVE-2026-40412

| EUVDEUVD-2026-31511 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-22 microsoft GHSA-46m7-mpp9-r4v3
10.0
CVSS 3.1 · NVD
Temporal: 8.7
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
8.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:46 vuln.today

DescriptionCVE.org

Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.

Technical ContextAI

Azure Orbital Spatio is a Microsoft Azure cloud service within the Azure Orbital family, which provides ground-station-as-a-service and geospatial data processing capabilities for satellite operators. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application accepts file uploads without sufficiently validating the file extension, MIME type, magic bytes, or post-upload handling - allowing an attacker-supplied executable artifact (e.g., a server-side script or binary) to be written into a location where the runtime will subsequently execute it. The CPE cpe:2.3:a:microsoft:azure_orbital_spatio:*:*:*:*:*:*:*:* indicates all versions of the affected service are in scope until Microsoft's server-side fix is rolled out.

RemediationAI

Patch available per vendor advisory - review Microsoft's MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40412 to confirm that the fix has been deployed to your Azure Orbital Spatio tenant, since this is a service-side mitigation rather than a customer-installable update. As a compensating control while validating remediation, restrict network reachability to the Spatio upload endpoints using Azure Private Link or NSG rules, disable or gate any custom file-ingestion workflows that wrap Spatio APIs, and audit recent uploads and storage accounts associated with the service for unexpected executable content (.aspx, .jsp, .php, .dll, scripts) - the trade-off is potential disruption to legitimate satellite data ingestion pipelines. Enable Defender for Cloud and Azure Monitor alerts on the relevant resource type to detect anomalous upload patterns.

Share

CVE-2026-40412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy