Security News > 2022 > March > Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

SentinelOne this week detailed a handful of bugs, including two critical remote code execution vulnerabilities, it found in Microsoft Azure Defender for IoT. These security flaws, which took six months to address, could have been exploited by an unauthenticated attacker to compromise devices and take over critical infrastructure networks.
Microsoft Azure Defender for IoT is supposed to detect and respond to suspicious behavior as well as highlight known vulnerabilities, and manage patching and equipment inventories, for Internet-of-Things and industrial control systems.
"Successful attack may lead to full network compromise, since Azure Defender For IoT is configured to have a TAP on the network traffic," according to a technical analysis by SentinelLabs' Kasif Dekel and independent researcher Ronen Shustin.
Two of the critical bugs in Defender for IoT, CVE-2021-42311 and CVE-2021-42313, were SQL injection vulnerabilities and both received a perfect 10 out of 10 score in terms of severity.
CVE-2021-42310, which is ranked as a high-severity vulnerability, targets the Defender for IoT device password recovery mechanism.
While none of these bugs were exploited beyond SentinelLab's proof-of-concept code, these vulnerabilities are "Particularly concerning when it comes to IoT and OT devices that have little to no defenses and depend entirely on these vulnerable platforms for their security posture," the analysis warned.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/30/sentinelone_microsoft_azure_iot/
Related news
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators (source)
- Microsoft Exposes LLMjacking Cybercriminals Behind Azure AI Abuse Scheme (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-15 | CVE-2021-42313 | SQL Injection vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 0.0 |
2021-12-15 | CVE-2021-42311 | SQL Injection vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 0.0 |
2021-12-15 | CVE-2021-42310 | Unspecified vulnerability in Microsoft Defender for IOT Microsoft Defender for IoT Remote Code Execution Vulnerability | 9.8 |