Description
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an access‑control weakness that lets an attacker who already has authorized access to a machine managed by Azure Connected Machine Agent elevate their privileges. By abusing the improper permission checks, the attacker can gain higher level rights on the local system, potentially allowing them to read, modify, or delete critical data and configurations, thereby compromising system integrity and confidentiality.

Affected Systems

The affected component is Microsoft Azure Connected Machine Agent. No specific version details are provided, so all deployments of this agent are potentially impacted until a vendor fix is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates a medium‑to‑high severity for this flaw. The EPSS score is not available, so the likelihood of exploitation is currently unknown, but the vulnerability is not listed in CISA’s KEV catalog. The attack vector appears to be local, requiring an attacker to already possess authorized credentials on the target machine. Because the flaw allows privilege escalation from authenticated states, the risk to exposed systems is significant if the agent runs with elevated rights.

Generated by OpenCVE AI on May 12, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Azure Connected Machine Agent update that contains the vendor fix for this issue.
  • Enforce least privilege and role‑based access control on all machines that the agent manages, reducing the impact of any compromised credentials.
  • Limit the agent’s network and API permissions to only the scopes required for its operation, preventing unauthorized access to sensitive resources.

Generated by OpenCVE AI on May 12, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
Title Azure Connected Machine Agent Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Connected Machine Agent
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:azure_connected_machine_agent:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Connected Machine Agent
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Connected Machine Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:15:46.658Z

Reserved: 2026-04-11T23:06:15.616Z

Link: CVE-2026-40381

cve-icon Vulnrichment

Updated: 2026-05-13T09:58:19.350Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:16.970

Modified: 2026-05-18T13:35:34.993

Link: CVE-2026-40381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:30:23Z

Weaknesses