CVE-2025-58724
📋 TL;DR
This vulnerability in Azure Connected Machine Agent allows authenticated attackers to escalate privileges on local systems. Attackers with existing access can gain higher permissions, potentially compromising the entire machine. Organizations using Azure Arc-enabled servers with vulnerable agent versions are affected.
💻 Affected Systems
- Azure Connected Machine Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, enabling lateral movement, data exfiltration, and persistence establishment across the environment.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, access sensitive data, and maintain persistence on compromised systems.
If Mitigated
Limited impact with proper access controls, network segmentation, and monitoring in place, though local compromise of individual systems remains possible.
🎯 Exploit Status
Requires authenticated access to the target system. The access control flaw makes exploitation straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.45.0 or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58724
Restart Required: Yes
Instructions:
1. Update Azure Connected Machine Agent to version 1.45.0 or later. 2. For Azure Arc-enabled servers: The agent updates automatically by default. 3. For manual updates: Download latest agent from Microsoft Download Center. 4. Restart affected systems after update.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local user accounts and implement least privilege access to reduce attack surface.
Enhanced Monitoring
allMonitor for privilege escalation attempts and unusual agent activity.
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for all user accounts
- Isolate vulnerable systems using network segmentation and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Azure Connected Machine Agent version: On Windows: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Azure Connected Machine Agent*'} | Select-Object Version. On Linux: azcmagent versionCheck Version:
Windows: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Azure Connected Machine Agent*'} | Select-Object Version. Linux: azcmagent versionVerify Fix Applied:
Verify agent version is 1.45.0 or higher using the same commands above.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events
- Azure Arc agent service modifications
- Unexpected local administrator account creation
Network Indicators:
- Anomalous outbound connections from Azure Arc-managed systems
- Unexpected authentication patterns
SIEM Query:
EventID=4688 OR EventID=4672 OR ProcessName='azcmagent' AND CommandLine CONTAINS 'elevate' OR 'privilege'