Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Azure Stack Edge allows unauthenticated attackers to execute arbitrary code over the network by exploiting external control of file name or path (CWE-73). The CVSS 9.8 score reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft Security Response Center (secure@microsoft.com) and is tagged as an authentication bypass affecting Azure Stack Edge appliances.
Technical ContextAI
Azure Stack Edge is Microsoft's managed hardware-as-a-service appliance used to bring Azure compute, storage, and machine learning capabilities to edge locations, often deployed for IoT, data preprocessing, and hybrid cloud workloads. The underlying weakness is CWE-73 (External Control of File Name or Path), meaning user-influenced input is used to construct file paths without sufficient validation, enabling path traversal, arbitrary file write, or referencing of attacker-controlled binaries. When combined with the 'Authentication Bypass' tag, this suggests the path-handling code path is reachable on a network interface without prior authentication, and a maliciously crafted path can be coerced into loading or executing code on the appliance.
RemediationAI
Apply the patch published by Microsoft via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47643 - patch availability per vendor advisory, but no exact fix version was included in the provided data, so confirm the build number directly with MSRC before scheduling deployment. As compensating controls until patching, restrict network reachability of the Azure Stack Edge management and data interfaces to a dedicated management VLAN or jump host, block inbound access from untrusted networks at upstream firewalls, and audit which appliance endpoints are exposed to the corporate LAN versus the internet; note that aggressive network segmentation may interrupt legitimate Azure synchronization and edge workload traffic, so test in a lower environment first. Increase monitoring for anomalous file-path or upload requests against the appliance's management interfaces.
More in Azure Stack Edge
View allMicrosoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters.
Azure Data Box Gateway Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remote
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35579
GHSA-hcqg-8f35-jw4g