CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-47280

CVSS 10.0v3.1pub. 2026-05-22upd. 2026-05-27

Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The vulnerability consists of improper implementation of the authentication mechanism (CWE-287) in Azure Resource Manager. An attacker can send specially crafted network requests to ARM without possessing valid credentials, and the service incorrectly treats such requests as authorized. The attack vector is network-based, requires no prior privileges (PR:N) or user interaction (UI:N), and the scope of the attack extends beyond the directly vulnerable component (S:C).

Impact

An unauthenticated attacker can obtain elevated privileges in an Azure environment, potentially taking control of cloud resources, reading sensitive data, modifying infrastructure configurations, or causing unavailability.

Mitigation & patch

Apply patches available from the vendor according to the references — detailed update information available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47280. As an interim measure, it is recommended to restrict network access to ARM and monitor logs for unauthorized API calls.

Who is affected

Azure Resource Manager (ARM) — versions indicated in the vendor references (Microsoft Security Response Center)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Resource Manager

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-42822CRITICAL10.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Azure Local Disconnected Operations — eskalacja uprawnień

CVE-2026-24304CRITICAL9.9PL ✓ten sam produkt

Nieprawidłowa kontrola dostępu w Azure Resource Manager — privilege escalation

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych