Multiple Vulnerabilities Disclosed in Golang Go and Microsoft Azure Services
Germany's dCERT published advisories for multiple vulnerabilities affecting Golang Go and several Microsoft Azure services, including Azure DevOps, Data Factory, and Cloud Shell. The Go advisory states that multiple flaws could allow an unspecified attack, indicating potential security impact in applications or environments that rely on the language runtime and related components.
A separate dCERT advisory reported multiple vulnerabilities in Microsoft's cloud platform components, expanding the scope of exposure to development, automation, and shell-access services in Azure. While technical details and exploit conditions were not provided in the advisories, the disclosures indicate that organizations using these technologies should review vendor guidance, identify affected deployments, and prioritize remediation once patches or mitigations are available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes advisory 2026-1409 for Golang Go vulnerabilities
dCERT published advisory 2026-1409 covering multiple vulnerabilities in Golang Go. The reference provides no synopsis or additional technical details.
dCERT publishes advisory 2026-0988 for Golang Go vulnerabilities
dCERT published advisory 2026-0988 covering multiple vulnerabilities in Golang Go. The reference provides no synopsis or additional technical details.
dCERT publishes advisory 2025-2064 for Golang Go vulnerabilities
dCERT published advisory 2025-2064 covering multiple vulnerabilities in Golang Go. The reference provides no synopsis or additional technical details.
dCERT publishes advisory 2026-0777 for Microsoft Azure services
dCERT published advisory 2026-0777 covering multiple vulnerabilities affecting Microsoft Azure DevOps, Data Factory, and Cloud Shell. The reference does not include additional details on impact or remediation.
dCERT publishes advisory 2026-0538 for Golang Go vulnerabilities
dCERT published advisory 2026-0538 بشأن multiple vulnerabilities in Golang Go that could allow unspecified attacks. No further synopsis or technical details were provided in the reference.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
dCERT - Advisory 2026-1409 - Golang Go: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0988 - Golang Go: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0777 - Microsoft Azure DevOps, Data Factory and Cloud Shell: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0538 - Golang Go: Multiple Vulnerabilities allow unspecified attack
dcert.de
Open sourcedCERT - Advisory 2025-2064 - Golang Go: Multiple Vulnerabilities
dcert.de
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Microsoft Azure Vulnerabilities Enable Privilege Escalation
Germany's dCERT published two advisories covering **multiple vulnerabilities in Microsoft Azure**, with the later notice stating that the flaws can allow **privilege escalation**. The advisories identify Azure as the affected platform but provide no public synopsis, indicating only that several security issues were addressed across the cloud service. The paired notices suggest an evolving disclosure in which Microsoft Azure vulnerabilities were first reported broadly and then updated with a more specific impact assessment tied to elevated privileges. Organizations using Azure should review the corresponding vendor guidance and remediation information for the affected services, prioritize patching, and assess whether exposed identities, roles, or cloud resources could be affected by unauthorized privilege gains.
May 8, 2026
Denial-of-Service Flaws Disclosed in Golang Go and Go `sys` Components
German CERT advisories disclosed denial-of-service vulnerabilities affecting **Golang Go** and the **Go `sys`** component. The notices identify two separate issues, tracked as dCERT advisories `2025-2420` and `2026-1635`, with both describing flaws that could allow an attacker to disrupt availability rather than achieve code execution or privilege escalation. The advisories provide limited public detail, but the impact is clear: organizations using affected Go runtimes or the `golang.org/x/sys` package should review vendor guidance, identify exposed services and dependent applications, and prioritize updates or mitigations to reduce the risk of service interruption. The disclosures highlight continued availability risk in widely used Go software components that may be embedded across internal tools, cloud services, and third-party products.
May 26, 2026
Microsoft Discloses Critical Azure MCP Server and AKS Authentication Flaws
Microsoft disclosed two high-severity vulnerabilities affecting hosted Azure services: **CVE-2026-32211** in **Azure MCP Server** and **CVE-2026-33105** in **Azure Kubernetes Service (AKS)**. The Azure MCP Server issue is an information disclosure flaw tied to **missing authentication for a critical function** (`CWE-306`), allowing an unauthenticated attacker to access sensitive information over the network. Its CVSS v3.1 vector, `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`, indicates remote exploitation with no privileges or user interaction required. Microsoft also published **CVE-2026-33105**, an **improper authorization** vulnerability in AKS mapped to `CWE-285`, which could let an unauthenticated attacker **elevate privileges** remotely. The CVSS v3.1 vector, `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, reflects potential high impact across confidentiality, integrity, and availability. Both entries were identified as affecting **exclusively hosted services** and point defenders to Microsoft’s MSRC advisories for service-specific remediation and exposure assessment.
Apr 3, 2026