External risk intelligence

Azure Stack Edge External Control of File Name Vulnerability Allows Network Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-47643

An external control of file name or path vulnerability in Azure Stack Edge could allow an unauthorized attacker to execute code over a network. This issue could impact the confidentiality, integrity, and availability of affected systems. As Azure Stack Edge devices often operate at the network edge and interact with ex

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-47643

Azure Stack Edge is an edge computing appliance designed to process data locally and connect to the cloud. These devices are frequently deployed as edge gateways or internet-facing nodes, making their management interfaces and network-accessible services common targets for internet-based discovery and interaction.

PCI scan relevance

PCI Relevance for CVE-2026-47643

Yes

CVE-2026-47643 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote code execution, which typically causes a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Azure Stack Edge devices, potentially allowing an unauthorized attacker to execute code remotely over a network. The issue stems from how the system handles file names and paths, which could be exploited to gain unauthorized access and control. Understanding the potential exposure is key, as these devices often operate at the network edge and interact with external systems.

  • Uncontrolled file paths let attackers run code remotely.
  • Edge devices are prime targets for network attacks.
  • Confirm relevance and assess exposure to this risk.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request over the network to Azure Stack Edge. This request would target a feature that handles file names or paths, tricking the system into executing arbitrary code. Successful exploitation could allow an unauthorized attacker to gain control of the affected device remotely.

  • No authentication required.
  • Specially crafted network request.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

An unauthorized attacker could execute code over a network by manipulating file names or paths within Azure Stack Edge, when such operations are exposed externally. This could impact the confidentiality, integrity, and availability of the affected system.

  • System code execution.
  • External control of file paths.
  • Compromised system integrity and availability.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Azure Stack Edge deployments require joint ownership between infrastructure or platform teams managing the appliances and security teams responsible for network exposure and threat mitigation. The immediate priority is to identify all Azure Stack Edge instances, assess their network reachability and business criticality, and confirm the owning team for each. A risk-based remediation plan should then be developed, potentially involving vendor coordination or temporary risk reduction measures.

  • Infrastructure or platform teams own the issue.
  • Verify network exposure and business criticality.
  • Plan risk-based remediation with vendor.

Frequently asked questions

What is Azure Stack Edge?

Azure Stack Edge is a hardware appliance designed for edge computing. It processes data locally near where it is collected and connects to Azure cloud services for management, storage, and machine learning. Organizations use these devices as gateways to bridge on-premises data with cloud workflows, often positioning them at the network edge to ensure fast, efficient data handling.

What does CWE-73 mean for CVE-2026-47643?

CWE-73 refers to the external control of a file name or path. In the context of this vulnerability, it means the system does not properly validate or restrict the file paths provided in certain network requests. Because the software accepts these inputs without enough verification, a remote attacker can manipulate them to direct the system to interact with unauthorized files or execute unintended code, bypassing standard security controls.

How is this vulnerability triggered?

The vulnerability is triggered when an attacker sends a specially crafted network request to the device. This request specifically targets a feature that handles file names or directory paths. Importantly, the flaw is not triggered by standard, legitimate operations or routine system communication; it requires an intentionally malicious payload designed to exploit the lack of input validation to force the device into performing unauthorized actions.

How does Halo Surface Signal define the risk?

Halo Surface Signal indicates that Azure Stack Edge devices are frequently deployed as internet-facing nodes or edge gateways. Because these devices are specifically designed to interact with both local networks and the broader internet, they are often discoverable and accessible from outside a private network. This inherent connectivity increases the likelihood that a vulnerable device could be identified and targeted by an external attacker.

What should I do if I use Azure Stack Edge?

Start by identifying all deployed Azure Stack Edge instances within your environment. Work with the infrastructure and security teams to determine which devices are accessible from the network and evaluate their business criticality. Prioritize these assets and coordinate with the vendor to stay updated on official remediation guidance, while assessing if temporary network restrictions can reduce the device's exposure until a permanent solution is applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished