CVE-2026-47643: Azure Stack Edge Remote Code Execution Vulnerability
External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 3.3.2604.3097
- Affected Products
- 1
HarborGuard Analysis
Synopsis
External control of file name or path in Microsoft Azure Stack Edge allows an unauthenticated remote attacker to execute arbitrary code over the network. No authentication or user interaction is needed; the attacker only needs network access to a vulnerable Azure Stack Edge instance running a version between 2.2.0 and 3.3.2604.3097. Successful exploitation gives the attacker full code execution on the target, enabling complete confidentiality, integrity, and availability impact. A patched-image rebuild at version 3.3.2604.3097 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate Azure Stack Edge components. Any image carrying an affected version (2.2.0 through below 3.3.2604.3097) will be flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 9.8 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured policy rules.
AvailableA patched-image rebuild at version 3.3.2604.3097 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Azure Stack Edge service over the network; the vulnerability is exposed remotely without requiring LAN or physical proximity.
- AuthenticationNot required
No credentials or account of any privilege level are needed; the attack can be launched by any unauthenticated party with network access.
- Victim interactionNot required
No user or administrator action is required to trigger exploitation; the attacker operates entirely without involving a human target.
- Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special preconditions such as race conditions or specific memory layout.
Blast Radius
- A successful attacker executes arbitrary code in the context of the Azure Stack Edge process, gaining a foothold on the host.
- All data accessible to that process is readable, including configuration files, secrets, and any customer data transiting the device.
- The attacker can write or overwrite files, modify configuration, and alter processing pipelines on the device.
- The attacker can crash or halt the Azure Stack Edge service, disrupting edge workloads and any dependent applications.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-47643 is active and will flag any image containing Azure Stack Edge versions 2.2.0 through below 3.3.2604.3097 within minutes of a scan. A patched-image rebuild at 3.3.2604.3097 is available for environments where the affected package is present. For customers who opt into auto-remediation, HarborGuard will rebuild the image, execute regression tests, and open a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage finding is routed to the designated team inbox with full CVSS context so reviewers can act immediately.
- Microsoft / Azure Stack Edge< 3.3.2604.3097 (from 2.2.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C