CVE-2026-21228: Azure Local Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Feb

Released

2026-02-10

EPSS Score

0.09% (percentile: 24.9%)

Description

Improper certificate validation in Azure Local allows an unauthorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by intercepting the unsecured communication between the configurator app and target machines, modifying the responses, and using that to trigger command injection that runs arbitrary code with admin privileges on the system. They could then extract the Azure token from the app’s logs and use it to move laterally into the cloud environment. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? A high attack complexity means the attacker must be able to perform a precise machine‑in‑the‑middle modification of Kerberos traffic, which requires specific network positioning and conditions to succeed.

Affected Products (1)

Azure

• Azure Local

Security Updates (1)

• Release Notes

Acknowledgments

Michal Kamensky with Microsoft

Revision History

• 2026-02-10: Information published.