CVE-2026-23662: Azure IoT Explorer Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Mar

Released

2026-03-10

EPSS Score

0.04% (percentile: 13.6%)

Description

Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could allow an attacker on the same network to view IoT device telemetry that is sent through the affected WebSocket connection. The exposed data may include real‑time device readings, operational status information, or device‑specific metadata transmitted by the application. The exact information disclosed depends on the telemetry configured by the device.

Affected Products (1)

Azure

• Azure IoT Explorer

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/hay-mizrachi/">Hay Mizrachi</a> with <a href="https://microsoft.com/">Microsoft</a>

Revision History

• 2026-03-10: Information published.