Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.
Technical ContextAI
Azure Resource Manager is Microsoft's deployment and management service that serves as the authentication and authorization control plane for Azure subscriptions, mediating all REST API calls to create, configure, and govern Azure resources (identified by cpe:2.3:a:microsoft:azure_resource_manager). The root cause is classified as CWE-287 (Improper Authentication), meaning the service fails to correctly verify identity claims or token validity before granting privileged operations. Because ARM brokers calls to nearly every Azure service - IAM, Key Vault, storage, compute, networking - a flaw in its authentication path effectively undermines the security boundary of any resource it manages.
RemediationAI
Patch available per vendor advisory: Microsoft has issued a fix as documented in MSRC at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47280, and because ARM is a managed cloud service the remediation is applied server-side by Microsoft with no customer action required for the core fix. Customers should still verify their tenants by reviewing Azure Activity Logs and Microsoft Entra ID sign-in logs for anomalous ARM API calls, role assignments, or resource modifications during the exposure window, and tighten ARM access using Conditional Access policies that restrict management plane operations to trusted networks and devices (trade-off: legitimate admin operations from new locations may be blocked). Additionally, enforce Privileged Identity Management (PIM) just-in-time access and enable Microsoft Defender for Cloud's control-plane threat detections to flag suspicious post-exploitation activity.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31514
GHSA-q9gj-2hh6-3882