Skip to main content

Azure Monitor Agent CVE-2026-32204

| EUVDEUVD-2026-29574 HIGH
External Control of File Name or Path (CWE-73)
2026-05-12 microsoft GHSA-8pm6-3cpv-xjv2
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:30 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.8

DescriptionCVE.org

External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.

AnalysisAI

Path traversal in Azure Monitor Agent enables low-privileged local attackers to escalate to SYSTEM/root privileges via malicious file path manipulation. Microsoft has released security patches. Attack vector is local (AV:L) with low complexity (AC:L), requiring only basic local credentials (PR:L) but no user interaction. EPSS exploitation probability is 0.04% (4th percentile), indicating low likelihood of mass exploitation, though the attack is straightforward once local access is obtained.

Technical ContextAI

This vulnerability is a classic external control of file name or path issue (CWE-73), also known as path traversal. The Azure Monitor Agent - Microsoft's telemetry and monitoring service that runs with elevated privileges on Windows and Linux hosts - fails to properly validate file paths provided by low-privileged users. By injecting directory traversal sequences (e.g., '../../../' or absolute paths) into file operations, attackers can force the agent to read from or write to arbitrary filesystem locations outside intended directories. Because the agent runs as SYSTEM (Windows) or root (Linux), successful exploitation allows privilege escalation from a standard user account to full administrative control. The CPE cpe:2.3:a:microsoft:azure_monitor:*:*:*:*:*:*:*:* indicates all versions of the agent were potentially vulnerable prior to patching, though specific affected version ranges are not independently confirmed in available data.

RemediationAI

Apply the security update released by Microsoft via the March 2026 patch cycle. For Azure VM extensions, updates typically deploy automatically within 24-48 hours if auto-update is enabled; verify agent version post-deployment using 'Get-AzVMExtension' (PowerShell) or Azure Portal. For Arc-enabled servers and standalone installations, manually upgrade the agent to the patched version specified in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32204. If immediate patching is not feasible, implement defense-in-depth controls: restrict local logon rights to trusted administrators only via Group Policy or PAM solutions (reduces PR:L attack surface); enable application control policies (AppLocker/WDAC on Windows, AppArmor/SELinux on Linux) to prevent unauthorized processes from interacting with agent directories; audit file system access to Azure Monitor Agent installation paths (typically C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent on Windows, /var/lib/waagent on Linux) to detect traversal attempts. Note that restricting agent permissions may break legitimate monitoring functionality and should be tested in non-production environments first.

Share

CVE-2026-32204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy