A remote code execution vulnerability in Azure Stack Edge, tracked as CVE-2026-47643 (CVSS 9.8), allows an unauthorised attacker to execute code over a network through external control of file paths. Azure Stack Edge is a hardware-as-a-service appliance for edge computing and data transfer.
What Is the Vulnerability?
CVE-2026-47643 is an external control of file name or path vulnerability (CWE-73) in Azure Stack Edge. An unauthorised attacker can manipulate file paths to execute arbitrary code on the appliance. Azure Stack Edge devices sit at the boundary between on-premises environments and Azure cloud — they process and transfer data, run containerised workloads, and provide local compute at edge locations. Compromising a Stack Edge device gives an attacker a foothold at the network edge with connectivity to both local infrastructure and Azure cloud services.
- CVSS v3.1 Score: 9.8 (Critical)
- CWE: CWE-73 (External Control of File Name or Path)
What Is the Fix?
Apply the June 2026 Patch Tuesday update. For Azure-managed Stack Edge devices, verify that Microsoft has applied the cloud-side patch.
Recommendations
Apply the update. Prioritise Stack Edge devices deployed at remote or branch locations where physical access and manual updates are more difficult.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.
