Critical Vulnerability in Azure DevOps
CVE-2026-33823 is a Critical information disclosure vulnerability affecting the Microsoft Teams Events Portal and has a CVSS score of 9.6. An improper authorization flaw (CWE-285) allows low-privileged remote attackers to disclose sensitive information over a network with no user interaction and low attack complexity. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 10 | CVE-2026-42826 | Microsoft Azure DevOps Information Disclosure Vulnerability | No |
Critical Vulnerabilities in Azure Managed Instance for Apache Cassandra
CVE-2026-40379 is a Critical spoofing vulnerability affecting Microsoft Enterprise Security Token Service (ESTS) and has a CVSS score of 9.3. An exposure of sensitive information flaw (CWE-200) in Azure Entra ID allows unauthenticated remote attackers to perform spoofing over a network. ESTS is the underlying token issuance infrastructure for Microsoft Entra ID (formerly Azure AD), responsible for authenticating users and issuing security tokens across Microsoft cloud services. A spoofing vulnerability here could allow attackers to impersonate users or services across any platform relying on Entra ID authentication.
CVE-2026-41096 is a Critical RCE vulnerability affecting the Windows DNS Client and has a CVSS score of 9.8. A heap-based buffer overflow flaw (CWE-122) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory, potentially enabling RCE without authentication.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.9 | CVE-2026-33109 | Azure Managed Instance for Apache Cassandra RCE Vulnerability | No |
| Critical | 9.0 | CVE-2026-33844 | Azure Managed Instance for Apache Cassandra RCE Vulnerability | No |
Critical Vulnerability in Microsoft Dynamics 365 On-Premises
The vulnerability requires user interaction and has a changed scope with high confidentiality and integrity impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.9 | CVE-2026-42898 | Microsoft Dynamics 365 On-Premises RCE Vulnerability | Yes |
Critical Vulnerability in Windows Netlogon
CVE-2026-35428 is a Critical spoofing vulnerability affecting Azure Cloud Shell and has a CVSS score of 9.6. A command injection flaw (CWE-77) allows unauthenticated remote attackers to perform spoofing over a network. The vulnerability requires user interaction and has a changed scope with high confidentiality, integrity, and availability impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-41089 | Windows Netlogon RCE Vulnerability | Yes |
Critical Vulnerability in Windows DNS Client
CVE-2026-40402 is a Critical elevation of privilege vulnerability affecting Windows Hyper-V and has a CVSS score of 9.3. A use-after-free flaw (CWE-416) allows a low-privileged guest VM to elevate privileges and gain access to the Hyper-V host environment. A guest VM could exploit this by forcing the Hyper-V host’s kernel to read from an arbitrary address, potentially allowing the attacker to traverse the guest’s security boundary. In most circumstances, this would result in a denial of service of the host; however, exploitation could also trigger hardware device-specific side effects that may further compromise host security. An official fix is available for customers to deploy.
An improper access control flaw (CVE-2026-33109) allows low-privileged remote attackers to execute arbitrary code with no user interaction required. An improper input validation flaw (CVE-2026-33844) similarly allows low-privileged remote attackers to execute code, though user interaction is required. Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-41096 | Windows DNS Client RCE Vulnerability | Yes |
Critical Vulnerability in Microsoft Teams Events Portal
CVE-2026-41089 is a Critical RCE vulnerability affecting Windows Netlogon and has a CVSS score of 9.8. A stack-based buffer overflow flaw (CWE-121) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted network request to a Windows server running as a domain controller, causing the Netlogon service to improperly handle the request and execute malicious code without requiring any prior access or credentials. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.6 | CVE-2026-33823 | Microsoft Teams Events Portal Information Disclosure Vulnerability | No |
Critical Spoofing Vulnerability in Azure Cloud Shell
CVE-2026-42898 is a Critical RCE vulnerability affecting Microsoft Dynamics 365 (on-premises) and has a CVSS score of 9.9. A code injection flaw (CWE-94) allows any authenticated remote attacker to execute code over a network with no user interaction required. An attacker could exploit this by modifying the saved state of a process session in Dynamics CRM and triggering the system to process that data, causing the server to unintentionally execute malicious code. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.6 | CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability | No |
Critical Spoofing Vulnerability in Microsoft Enterprise Security Token Service
An attacker could send a specially crafted single sign-on (SSO) response during the login process to forge an identity, bypassing Microsoft Entra ID authentication entirely and gaining unauthorized access to Jira or Confluence with the permissions of the compromised account. An official fix is available for customers to deploy.
While the Windows DNS Client is present on virtually all Windows workstations and servers, practical exploitation requires an attacker to be in a position to intercept or respond to a system’s DNS requests, such as through DNS spoofing, a rogue DNS server, or a machine-in-the-middle position on the network, which represents a meaningful prerequisite to exploitation. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.3 | CVE-2026-40379 | Microsoft ESTS Spoofing Vulnerability | No |
Critical Elevation of Privilege Vulnerability in Windows Hyper-V
CVE-2026-41103 is a Critical elevation of privilege vulnerability affecting the Microsoft SSO Plugin for Jira and Confluence and has a CVSS score of 9.1. An incorrect implementation of an authentication algorithm (CWE-303) allows unauthenticated remote attackers to elevate privileges with no user interaction and low attack complexity. The Microsoft SSO Plugin enables organizations to use Microsoft Entra ID as an identity provider for Atlassian Jira and Confluence; an authentication bypass in this plugin could allow attackers to impersonate users across these platforms.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.3 | CVE-2026-40402 | Windows Hyper-V Elevation of Privilege Vulnerability | Yes |
Critical Elevation of Privilege Vulnerability in Microsoft SSO Plugin for Jira and Confluence
CVE-2026-42826 is a Critical information disclosure vulnerability affecting Azure DevOps and has a CVSS score of 10. This vulnerability allows unauthenticated remote attackers to disclose sensitive information over a network through an exposure of sensitive information flaw (CWE-200). Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention.
CVE-2026-33109 and CVE-2026-33844 are Critical RCE vulnerabilities affecting Azure Managed Instance for Apache Cassandra, with CVSS scores of 9.9 and 9.0, respectively. Azure Managed Instance for Apache Cassandra is a fully managed cloud service for deploying and scaling Apache Cassandra clusters; RCE vulnerabilities in this service could allow attackers to compromise sensitive data workloads and underlying infrastructure.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.1 | CVE-2026-41103 | Microsoft SSO Plugin for Jira and Confluence Elevation of Privilege Vulnerability | Yes |
