Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.
Technical ContextAI
Azure Virtual Network Gateway is a managed Microsoft Azure service that provides cross-premises connectivity (VPN gateways for site-to-site/point-to-site IPsec tunnels and ExpressRoute gateways for private peering) between Azure virtual networks and on-premises networks or other VNets. The root cause is CWE-20 (Improper Input Validation), meaning the gateway accepts and processes untrusted data without sufficient validation, allowing crafted inputs to alter execution flow. The affected CPE (cpe:2.3:a:microsoft:azure_virtual_network_gateway) covers the Azure-hosted service component, suggesting the flaw is in the control or data plane code path that parses network protocol or management input.
RemediationAI
Patch available per vendor advisory - Microsoft has released a fix on the Azure platform; consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40411 to confirm whether the remediation is automatically applied to your gateway SKU or requires customer action such as a gateway reset, SKU upgrade, or redeployment. As compensating controls until remediation is verified, restrict who holds low-privileged Azure RBAC roles on Virtual Network Gateway resources (since PR:L is required), tighten Network Security Group rules to limit which subnets can reach gateway endpoints, enable Azure activity log and diagnostic log collection for the gateway to detect anomalous configuration calls, and consider temporarily disabling unused VPN client protocols (IKEv2, OpenVPN, SSTP) on Point-to-Site configurations - accepting the trade-off that legitimate remote users on those protocols will lose connectivity.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31510
GHSA-g63w-3vwq-rqw8