Entries about Microsoft Azure Local Disconnected Operations (ALDO) — CVSS 10.0 unauthenticated network elevation-of-privilege; MSRC Exploitation More Likely (2)
Microsoft assigned CVE-2026-42822 (CVSS 3.1 = 10.0, CWE-287 Improper Authentication, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO) — Microsoft's solution for running Azure services in air-gapped or partially-disconnected infrastructure environments — that allows an unauthorised network attacker to elevate privileges over a network with no credentials and no prior foothold (Microsoft MSRC, 2026-05-18). MSRC rates "Exploitation More Likely"; no in-the-wild exploitation observed and no public PoC at advisory release. Cloud-managed Azure customers using Microsoft-operated Resource Manager environments are already protected — only manually-operated air-gapped Azure Local stacks need action. Remediation requires upgrading ALDO to version 2604 or later via the standard ALDO update channel. Defender takeaway: EU public-sector operators running Azure Local for data-sovereignty / federal data-residency compliance (a common pattern in Bundesverwaltung and German Bundesbehörden environments) should treat this as a Patch-Tuesday-class emergency on disconnected infrastructure where update cadence is typically slower than cloud-managed Azure. Restrict the ALDO management plane to admin-only OOB subnets until v2604 is installed.
Microsoft assigned CVE-2026-42822 (CVSS 10.0, CWE-287 Improper Authentication, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO), rated "Exploitation More Likely." ALDO is the air-gapped/sovereign-cloud deployment mode that public-sector and regulated operators specifically choose for data-residency reasons — so this CVSS-10 bug lands squarely on the deployments most likely to hold sensitive workloads. No confirmed exploitation; treat as a high-priority patch given the "More Likely" rating and the sovereign-deployment exposure.