Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.
Technical ContextAI
Azure Orbital Spatio is a Microsoft Azure cloud service within the Azure Orbital family, which provides ground-station-as-a-service and geospatial data processing capabilities for satellite operators. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application accepts file uploads without sufficiently validating the file extension, MIME type, magic bytes, or post-upload handling - allowing an attacker-supplied executable artifact (e.g., a server-side script or binary) to be written into a location where the runtime will subsequently execute it. The CPE cpe:2.3:a:microsoft:azure_orbital_spatio:*:*:*:*:*:*:*:* indicates all versions of the affected service are in scope until Microsoft's server-side fix is rolled out.
RemediationAI
Patch available per vendor advisory - review Microsoft's MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40412 to confirm that the fix has been deployed to your Azure Orbital Spatio tenant, since this is a service-side mitigation rather than a customer-installable update. As a compensating control while validating remediation, restrict network reachability to the Spatio upload endpoints using Azure Private Link or NSG rules, disable or gate any custom file-ingestion workflows that wrap Spatio APIs, and audit recent uploads and storage accounts associated with the service for unexpected executable content (.aspx, .jsp, .php, .dll, scripts) - the trade-off is potential disruption to legitimate satellite data ingestion pipelines. Enable Defender for Cloud and Azure Monitor alerts on the relevant resource type to detect anomalous upload patterns.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31511
GHSA-46m7-mpp9-r4v3