CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-24304

CVSS 9.9v3.1pub. 2026-01-23upd. 2026-02-12

Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The flaw consists of improper access control (CWE-284) in the Azure Resource Manager service. An authenticated attacker with a basic level of permissions can, by sending appropriately crafted network requests, bypass authorization mechanisms and obtain privileges exceeding the granted scope. The network vector and lack of user interaction requirement mean that the attack can be conducted remotely and without victim participation.

Impact

An attacker can obtain elevated privileges in the Azure environment, potentially allowing full takeover of cloud resources, data read and modification, and disruption of services within the affected subscription or tenant.

Mitigation & patch

Apply patches available from the vendor according to the following references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24304. For services managed by Microsoft, updates may be deployed automatically on the platform side — it is recommended to verify the status in Microsoft Security Response Center.

Who is affected

Microsoft Azure Resource Manager — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Resource Manager

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-47280CRITICAL10.0PL ✓ten sam produkt

Obejście uwierzytelniania w Azure Resource Manager umożliwia eskalację uprawnień

CVE-2026-42822CRITICAL10.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Azure Local Disconnected Operations — eskalacja uprawnień

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych