CVE-2026-21528: Azure IoT Explorer Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Feb

Released

2026-02-10

Last Updated

2026-02-19

EPSS Score

0.10% (percentile: 26.6%)

Description

Binding to an unrestricted ip address in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability includes the contents of the user’s local file system, folders or potentially cloud access credentials associated with the system. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).

Affected Products (1)

Azure

• Azure IoT Explorer

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/hay-mizrachi/">Hay Mizrachi</a> with <a href="https://microsoft.com/">Microsoft</a>

Revision History

• 2026-02-10: Information published.
• 2026-02-19: Corrected the CVE description and title. This is an informational change only.