CVE-2026-23661: Azure IoT Explorer Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Mar

Released

2026-03-10

EPSS Score

0.04% (percentile: 13.2%)

Description

Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could allow an attacker on the same network to view sensitive data sent through the application’s unencrypted HTTP connection. Depending on how the application is used, this may include device connection information, authentication tokens, request data, file paths, and other information transmitted between the application and the IoT Hub. An attacker who intercepts this data may also be able to obtain device connection strings that could allow them to impersonate a device in the customer’s IoT environment.

Affected Products (1)

Azure

• Azure IoT Explorer

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/hay-mizrachi/">Hay Mizrachi</a> with <a href="https://microsoft.com/">Microsoft</a>

Revision History

• 2026-03-10: Information published.