CVE-2026-23652 Microsoft CVE debrief

Who should care

Organizations operating Microsoft Power Pages environments, security teams managing low-code/no-code platforms, and incident response teams preparing for potential unauthenticated RCE scenarios.

Technical summary

Microsoft Power Pages contains a command injection vulnerability (CWE-77) allowing unauthenticated attackers to execute arbitrary code remotely. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates network exploitable, low complexity, no privileges required, no user interaction, scope change, and complete confidentiality/integrity/availability impact. The vulnerability is rated CRITICAL with maximum CVSS score 10.0.

Defensive priority

critical

Recommended defensive actions

• Monitor Microsoft Security Response Center for security update release and apply patches immediately upon availability
• Review Power Pages deployments for unauthorized configuration changes or anomalous administrative activity
• Implement network segmentation to limit exposure of Power Pages instances to untrusted networks
• Enable comprehensive logging and monitoring for Power Pages environments to detect potential exploitation attempts
• Prepare incident response procedures for potential compromise given critical severity and unauthenticated exploitation vector

Evidence notes

CVE description confirms command injection in Microsoft Power Pages with network-based attack vector. CVSS 3.1 vector indicates unauthenticated exploitation (PR:N), low attack complexity (AC:L), and scope change (S:C) suggesting impact beyond vulnerable component. Microsoft MSRC reference provided as primary source. NVD status 'Undergoing Analysis' indicates ongoing assessment.

Official resources