Skip to main content

Azure Stack Edge EUVDEUVD-2026-35579

| CVE-2026-47643 CRITICAL
External Control of File Name or Path (CWE-73)
2026-06-09 secure@microsoft.com GHSA-hcqg-8f35-jw4g
9.8
CVSS 3.1 · Vendor: microsoft
Temporal: 8.5
Share

Severity by source

Vendor (microsoft) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
8.5 HIGH
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:53 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
CRITICAL 9.8

DescriptionCVE.org

External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Azure Stack Edge allows unauthenticated attackers to execute arbitrary code over the network by exploiting external control of file name or path (CWE-73). The CVSS 9.8 score reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft Security Response Center (secure@microsoft.com) and is tagged as an authentication bypass affecting Azure Stack Edge appliances.

Technical ContextAI

Azure Stack Edge is Microsoft's managed hardware-as-a-service appliance used to bring Azure compute, storage, and machine learning capabilities to edge locations, often deployed for IoT, data preprocessing, and hybrid cloud workloads. The underlying weakness is CWE-73 (External Control of File Name or Path), meaning user-influenced input is used to construct file paths without sufficient validation, enabling path traversal, arbitrary file write, or referencing of attacker-controlled binaries. When combined with the 'Authentication Bypass' tag, this suggests the path-handling code path is reachable on a network interface without prior authentication, and a maliciously crafted path can be coerced into loading or executing code on the appliance.

RemediationAI

Apply the patch published by Microsoft via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47643 - patch availability per vendor advisory, but no exact fix version was included in the provided data, so confirm the build number directly with MSRC before scheduling deployment. As compensating controls until patching, restrict network reachability of the Azure Stack Edge management and data interfaces to a dedicated management VLAN or jump host, block inbound access from untrusted networks at upstream firewalls, and audit which appliance endpoints are exposed to the corporate LAN versus the internet; note that aggressive network segmentation may interrupt legitimate Azure synchronization and edge workload traffic, so test in a lower environment first. Increase monitoring for anomalous file-path or upload requests against the appliance's management interfaces.

Share

EUVD-2026-35579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy