Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
AnalysisAI
Path traversal in Azure Monitor Agent enables low-privileged local attackers to escalate to SYSTEM/root privileges via malicious file path manipulation. Microsoft has released security patches. Attack vector is local (AV:L) with low complexity (AC:L), requiring only basic local credentials (PR:L) but no user interaction. EPSS exploitation probability is 0.04% (4th percentile), indicating low likelihood of mass exploitation, though the attack is straightforward once local access is obtained.
Technical ContextAI
This vulnerability is a classic external control of file name or path issue (CWE-73), also known as path traversal. The Azure Monitor Agent - Microsoft's telemetry and monitoring service that runs with elevated privileges on Windows and Linux hosts - fails to properly validate file paths provided by low-privileged users. By injecting directory traversal sequences (e.g., '../../../' or absolute paths) into file operations, attackers can force the agent to read from or write to arbitrary filesystem locations outside intended directories. Because the agent runs as SYSTEM (Windows) or root (Linux), successful exploitation allows privilege escalation from a standard user account to full administrative control. The CPE cpe:2.3:a:microsoft:azure_monitor:*:*:*:*:*:*:*:* indicates all versions of the agent were potentially vulnerable prior to patching, though specific affected version ranges are not independently confirmed in available data.
RemediationAI
Apply the security update released by Microsoft via the March 2026 patch cycle. For Azure VM extensions, updates typically deploy automatically within 24-48 hours if auto-update is enabled; verify agent version post-deployment using 'Get-AzVMExtension' (PowerShell) or Azure Portal. For Arc-enabled servers and standalone installations, manually upgrade the agent to the patched version specified in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32204. If immediate patching is not feasible, implement defense-in-depth controls: restrict local logon rights to trusted administrators only via Group Policy or PAM solutions (reduces PR:L attack surface); enable application control policies (AppLocker/WDAC on Windows, AppArmor/SELinux on Linux) to prevent unauthorized processes from interacting with agent directories; audit file system access to Azure Monitor Agent installation paths (typically C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent on Windows, /var/lib/waagent on Linux) to detect traversal attempts. Note that restricting agent permissions may break legitimate monitoring functionality and should be tested in non-production environments first.
More in Azure Monitor
View allSame weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29574
GHSA-8pm6-3cpv-xjv2