CVE-2026-23652 - Microsoft Power Pages Command Injection
CVE-2026-23652 is a critical command injection vulnerability in Microsoft Power Pages, allowing an unauthorized attacker to execute arbitrary code over the network by injecting commands.
CVE-2026-23652 describes a command injection vulnerability affecting Microsoft Power Pages. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the system by injecting malicious commands into the application. The vulnerability stems from improper neutralization of special elements used within a command. Successful exploitation results in full compromise of the Power Pages instance. Defenders should apply available patches immediately.
Attack Chain
- The attacker identifies a vulnerable Microsoft Power Pages instance exposed to the network.
- The attacker crafts a malicious HTTP request containing a command injection payload within a user-supplied input field.
- The Power Pages application fails to properly sanitize the input, passing the attacker-controlled data to a system command.
- The injected command is executed by the underlying operating system with the privileges of the Power Pages application.
- The attacker leverages the command execution to establish a reverse shell to an attacker-controlled server.
- The attacker uses the reverse shell to gain interactive access to the compromised server.
- The attacker performs reconnaissance to discover sensitive data and credentials.
- The attacker uses the gained access to pivot to other systems on the network and potentially exfiltrate sensitive information or cause further damage.
Impact
Successful exploitation of CVE-2026-23652 can lead to complete compromise of the affected Microsoft Power Pages instance. This can result in unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. Given the critical severity and ease of exploitation (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), organizations using Power Pages are at high risk.
Recommendation
- Apply the security update provided by Microsoft to patch CVE-2026-23652 on all Power Pages instances immediately, as referenced in the advisory URL.
- Implement input validation and sanitization measures to prevent command injection attacks, particularly in user-supplied input fields in Power Pages.
- Deploy the Sigma rule "Detect CVE-2026-23652 Exploitation Attempt via Command Injection" to monitor for exploitation attempts.
- Monitor web server logs for suspicious HTTP requests containing shell metacharacters.
Detection coverage 2
Detect CVE-2026-23652 Exploitation Attempt via Command Injection
criticalDetects CVE-2026-23652 exploitation attempt - suspicious HTTP request containing shell metacharacters in the query string
Detect CVE-2026-23652 Exploitation Attempt via POST Request
criticalDetects CVE-2026-23652 exploitation attempt - suspicious HTTP POST request containing shell metacharacters
Detection queries are available on the platform. Get full rules →