CVE-2026-40381 Overview
CVE-2026-40381 is an improper access control vulnerability in the Azure Connected Machine Agent. An authorized local attacker can exploit the flaw to elevate privileges on the affected host. The weakness is tracked as [CWE-284] Improper Access Control and carries a CVSS 3.1 base score of 7.8.
The Azure Connected Machine Agent (azcmagent) extends Azure Arc management to non-Azure servers running Windows and Linux. A privilege escalation in this component grants attackers a path from a standard user context to elevated execution on hybrid-managed systems.
Critical Impact
A local, authenticated attacker can gain high-privilege code execution on hosts running the Azure Connected Machine Agent, compromising confidentiality, integrity, and availability.
Affected Products
- Microsoft Azure Connected Machine Agent (Azure Arc-enabled servers)
- Windows and Linux hosts onboarded to Azure Arc via the agent
- Specific fixed versions are listed in the Microsoft Security Response Center advisory
Discovery Timeline
- 2026-05-12 - CVE-2026-40381 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40381
Vulnerability Analysis
The Azure Connected Machine Agent runs privileged services to manage extensions, policy, and identity on Arc-enabled servers. Improper access control inside the agent allows a low-privilege local user to interact with resources or operations reserved for the privileged service account.
The attack vector is local and requires the attacker to already hold valid credentials on the host. No user interaction is required, attack complexity is low, and successful exploitation yields full impact across confidentiality, integrity, and availability. The Exploit Prediction Scoring System (EPSS) rates the probability of exploitation at 0.04% as of 2026-05-17, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is improper access control [CWE-284] within the agent. Privileged resources, files, or interprocess communication endpoints owned by the agent service do not enforce sufficient authorization checks against the calling user. Microsoft has not published the precise affected component path in the public advisory.
Attack Vector
An attacker with an interactive or remote shell session as a standard user on an Arc-enabled host triggers the vulnerable agent functionality. By leveraging the weak access control, the attacker coerces the privileged agent process to perform an action on their behalf, resulting in code execution or file operations as the agent's high-privilege identity. Technical specifics are restricted to the Microsoft Security Advisory.
No public proof-of-concept exploit is available at the time of writing.
Detection Methods for CVE-2026-40381
Indicators of Compromise
- Unexpected child processes spawned by himds, gcarcservice, or extensionservice agent processes
- New or modified files in the agent installation directory written by non-administrative users
- Local account privilege changes or new administrator group memberships shortly after agent activity
- Anomalous invocations of azcmagent subcommands from non-administrative user contexts
Detection Strategies
- Hunt for process lineage where Azure Connected Machine Agent services launch shells, scripting hosts, or LOLBins
- Correlate local logon events with subsequent privileged operations on Arc-enabled hosts
- Alert on writes by low-privilege users to directories or named pipes owned by the agent service
Monitoring Recommendations
- Forward Windows Security, Sysmon, and Linux auditd telemetry from Arc-enabled hosts to a centralized analytics platform such as Singularity Data Lake for retention and correlation
- Use behavioral endpoint protection, including Singularity Endpoint, to flag privilege escalation patterns originating from agent services
- Track agent version inventory across the fleet and alert on hosts running unpatched builds
How to Mitigate CVE-2026-40381
Immediate Actions Required
- Identify all hosts running the Azure Connected Machine Agent using Azure Arc inventory and asset management tools
- Update the agent to the fixed version specified in the Microsoft advisory on every affected host
- Restrict interactive and remote logon rights on Arc-enabled servers to trusted administrative users only
- Review local account membership and recent privilege changes on managed hosts
Patch Information
Microsoft has released a fixed Azure Connected Machine Agent build. Patch details, download links, and version numbers are published in the Microsoft Security Advisory. Apply the update through automatic agent upgrade where enabled, or distribute the installer via existing configuration management tooling.
Workarounds
- No vendor-supplied workaround is documented; patching is the supported remediation
- Limit local logon capability on Arc-enabled hosts to reduce the population of users who can exploit the flaw
- Enforce least privilege and remove standing local accounts that are not required for operations
- Monitor agent processes with endpoint protection until patches are deployed across the fleet
# Check Azure Connected Machine Agent version on Linux
azcmagent show | grep -i "Agent Version"
# Check on Windows (PowerShell)
& "$Env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" show | Select-String "Agent Version"
# Trigger upgrade on Linux (package manager dependent)
sudo apt-get update && sudo apt-get install --only-upgrade azcmagent
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
