Key detail from vendor description: "Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally." The vulnerability is an improper authentication flaw (CWE-288) that permits an attacker who already has some level of access to bypass normal agent authentication and gain elevated local privileges. This could allow the attacker to execute arbitrary code with higher privileges on the affected host, potentially compromising system integrity and confidentiality.

Affected vendor: Microsoft. Product: Arc Enabled Servers – Azure Connected Machine Agent. The CVE data does not list specific product versions or build numbers; the vulnerability is reported for the Azure Connected Machine Agent in general. Operators should verify whether their agent deployment falls under the scope of this advisory and consult Microsoft for version details.

The CVSS score of 7.8 indicates a high severity rating for local privilege escalation. The EPSS score of <1% reflects a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, requiring the attacker to reach the agent through its alternate communication channel or path; however, the exact conditions for exploitation are not detailed in the input. Inferred from the description, the attacker would need prior authenticated access or the ability to interact with the agent’s alternate channel.