Microsoft Patches Elevation-of-Privilege Flaws in Azure Monitoring and Agent Components
Microsoft disclosed and patched multiple elevation-of-privilege vulnerabilities affecting Azure agent components, including Azure Monitor Agent, the Azure Monitor Agent Metrics Extension, the Azure Connected Machine Agent, and the Azure Network Watcher VM Extension. The newly detailed issues include CVE-2026-32204, an Important flaw in Azure Monitor Agent caused by external control of file name or path (CWE-73), and CVE-2026-42830, an Important untrusted search path vulnerability (CWE-426) in the Metrics Extension. Microsoft said both flaws could be exploited locally by low-privileged attackers to gain elevated privileges, with CVE-2026-32204 potentially enabling file writes and unauthorized code execution as root, while CVE-2026-42830 could lead to privilege escalation and arbitrary code execution through implicit loading behavior tied to OpenSSL configuration handling.
The disclosures add to a broader pattern of privilege-escalation fixes across Azure management tooling, following earlier advisories for CVE-2024-35254 in Azure Monitor Agent, CVE-2023-35624 in Azure Connected Machine Agent, and CVE-2025-21188 in the Azure Network Watcher VM Extension. Microsoft assigned a CVSS 3.1 score of 7.8 to CVE-2026-32204 and 6.5 to CVE-2026-42830, said neither issue was publicly disclosed or exploited at the time of publication, and released official fixes. Microsoft credited Cristhian Parrot of Kroll for reporting CVE-2026-42830 through coordinated vulnerability disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2026-42830 in Azure Monitor Agent Metrics Extension
Microsoft disclosed CVE-2026-42830, an Important elevation-of-privilege vulnerability in the Azure Monitor Agent Metrics Extension caused by an untrusted search path issue tied to OpenSSL configuration auto-loading. Microsoft said a low-privileged local attacker could achieve elevated privileges and arbitrary code execution, credited Cristhian Parrot of Kroll for reporting it, and stated that a fix was available and exploitation was not observed.
Microsoft discloses CVE-2026-32204 in Azure Monitor Agent
Microsoft disclosed CVE-2026-32204, an Important elevation-of-privilege flaw in Azure Monitor Agent caused by external control of file name or path. The company said the issue could let a low-privileged local attacker write files and execute code as root, and that a fix was available with no evidence of public disclosure or in-the-wild exploitation.
Microsoft publishes advisory for CVE-2025-21188 in Azure Network Watcher VM Extension
Microsoft published a Security Update Guide advisory for CVE-2025-21188, an elevation of privilege vulnerability affecting the Azure Network Watcher VM Extension.
Microsoft publishes advisory for CVE-2024-35254 in Azure Monitor Agent
Microsoft published a Security Update Guide entry for CVE-2024-35254, identifying an elevation of privilege vulnerability in the Azure Monitor Agent.
Microsoft publishes advisory for CVE-2023-35624 in Azure Connected Machine Agent
Microsoft published a Security Update Guide advisory for CVE-2023-35624, an elevation of privilege vulnerability affecting the Azure Connected Machine Agent.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-42830 - Security Update Guide - Microsoft - Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-32204 - Security Update Guide - Microsoft - Azure Monitor Agent Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21188 - Security Update Guide - Microsoft - Azure Network Watcher VM Extension Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-35254 - Security Update Guide - Microsoft - Azure Monitor Agent Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-35624 - Security Update Guide - Microsoft - Azure Connected Machine Agent Elevation of Privilege Vulnerability
portal.msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Discloses Elevation-of-Privilege Flaws Across Azure Services
Microsoft has published multiple Security Update Guide entries for elevation-of-privilege vulnerabilities affecting cloud services including **Azure Resource Manager**, **Azure Entra ID**, **Azure AI Foundry**, and **Redis Enterprise**. The disclosed issues include `CVE-2026-47280` and `CVE-2026-24304` in Azure Resource Manager, `CVE-2026-24305` and `CVE-2025-55241` in Azure Entra ID, `CVE-2025-59271` in Redis Enterprise, and `CVE-2026-35435` in Azure AI Foundry, indicating a broader set of privilege-boundary weaknesses across Microsoft-managed platforms. Microsoft provided the most detail for **CVE-2026-35435**, describing it as a **critical** improper access control flaw in Azure AI Foundry M365 published agents that could be exploited remotely over the network without privileges or user interaction, with potential for high confidentiality impact. The company said exploitation was considered more likely, but the vulnerability had not been publicly disclosed or exploited at publication time, and the service-side issue was already fully mitigated with **no customer action required**; the remaining CVEs were listed with limited public detail in the update guide.
May 25, 2026
Microsoft Discloses Windows Elevation of Privilege Vulnerabilities
Microsoft published security advisories for two **Elevation of Privilege** flaws affecting Windows components: `CVE-2026-23660` in **Windows Admin Center in Azure Portal** and `CVE-2025-62472` in **Windows Remote Access Connection Manager**. Both entries were released through Microsoft's Security Update Guide, identifying separate privilege-escalation issues in enterprise-relevant Windows management and connectivity functionality. The disclosures indicate that attackers who successfully exploit the vulnerabilities could gain higher privileges on affected systems, increasing the risk of broader compromise after initial access. Organizations using Windows administrative tooling in Azure environments and systems relying on Remote Access Connection Manager should review Microsoft's advisories, determine exposure to the affected components, and prioritize applicable security updates and mitigation steps.
May 25, 2026
Microsoft Patches Multiple Windows Elevation-of-Privilege Flaws in Networking Components
Microsoft disclosed and patched several Windows elevation-of-privilege vulnerabilities affecting networking-related components, including **Windows Remote Access Connection Manager**, **Windows SMB Server**, and **Network Connection Status Indicator (NCSI)**. The issues tracked as `CVE-2025-62474`, `CVE-2025-62472`, `CVE-2025-47955`, `CVE-2025-59201`, and `CVE-2025-58726` could allow attackers with limited access to gain higher privileges on targeted systems, extending a pattern of privilege-escalation risk previously seen in the same Remote Access Connection Manager component with `CVE-2022-21914`. Among the disclosed flaws, Microsoft provided additional detail for **`CVE-2025-58726`**, describing an **Important** improper access control issue in **Windows SMB Server** that can let an authorized low-privilege attacker elevate to **SYSTEM** over the network by coercing a victim machine to authenticate to an attacker-controlled SMB server using a specially crafted script. Microsoft assigned the bug **CWE-284** and a **CVSS v3.1 score of 7.5**, said exploitation required specific conditions involving an unused or nonexistent Service Principal Name on the target, and stated that the vulnerability was neither publicly disclosed nor exploited in the wild at publication and that a security fix was available.
May 25, 2026