Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable management function with low complexity and no UI; PR:L because an existing low-privilege authenticated foothold is required, and the missing auth check yields full C/I/A compromise.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in Microsoft Azure CycleCloud 8.9.1 allows an authorized (low-privileged) attacker to gain elevated privileges over the network by reaching a critical function that lacks an authentication check (CWE-306). Reported by Microsoft with a patch available and rated CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess low-privileged authenticated access to the Azure CycleCloud instance (CVSS PR:L, 'authorized attacker'), and network reachability to the CycleCloud management service (AV:N); no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding high impact across confidentiality, integrity, and availability - a strong signal for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds low-privilege credentials to an Azure CycleCloud 8.9.1 instance - for example a limited cluster user or a compromised service account - sends a network request that directly invokes a privileged management function that fails to check authorization. Because attack complexity is low and no user interaction is needed, the attacker escalates to full control of the CycleCloud instance and the HPC clusters it orchestrates. … |
| Remediation | Apply the vendor patch - Patch available per vendor advisory (Microsoft MSRC): review and follow the update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57969 to move Azure CycleCloud off the vulnerable 8.9.1 line to the fixed release; the exact patched version number is not stated in the provided data, so obtain it directly from the MSRC update guide. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Azure CycleCloud deployments and identify instances running version 8.9.1, categorizing by operational criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Azure Cyclecloud 8 9 1
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43760
GHSA-5hx7-jrq3-6879