A chain of vulnerabilities in Azure Arc agent services for Windows allows a low-privileged user to hijack service communications, impersonate the machine’s cloud identity, escalate privileges to NT AUTHORITY\SYSTEM, and even redirect the machine to connect to an attacker-controlled Azure tenant.
Researchers from Cymulate Research Labs discovered weaknesses in how Azure Arc agents on Windows machines initialize and authenticate their cloud identity services. Because of these weaknesses, a low-privileged local user can intercept internal agent communications, escalate privileges to a local administrator, and access the Azure identity associated with the machine.
Using the same technique, attackers could also trick the machine into connecting to an attacker-controlled Azure tenant.
In addition to local privilege escalation, Azure Arc identities may have Azure RBAC permissions. If attackers compromise a single machine, they may also gain access to Azure resources that the machine’s identity can access.
To mitigate this issue, organizations must update the Azure Arc agent components on all Arc-joined machines.
The vulnerability was first reported to Microsoft in November 2025. On March 10, Microsoft released Azure Arc Agent version 1.61 to fix CVE-2026-26117. Cymulate recommends that all organizations using Azure Arc-joined Windows machines apply the update immediately.
Executive Summary
A chain of vulnerabilities in the Windows Azure Arc agent stack (HIMDS, Guest Configuration, and ARC Proxy) allows a low-privileged user to interfere with communication between Arc services and manipulate their responses.
If successfully exploited, an attacker can:
- Force the machine to connect to an attacker-controlled Azure tenant
- Take control of the Azure Arc machine object
- Impersonate the machine identity and inherit its RBAC permissions
- Modify machine properties in Azure
- Escalate local privileges to NT AUTHORITY\SYSTEM
Recommended Actions for Organizations Using Azure Arc
Organizations using Azure Arc should take the following steps:
- Update all Azure Arc agents to the latest version.
- Run Cymulate simulations to validate exposure.
Who Is Affected
All Azure Arc-joined Windows machines running Azure Arc Agent versions below 1.61 are vulnerable.
Severity and Potential Impact
Successful exploitation can lead to:
- Local privilege escalation from a low-privileged user to NT AUTHORITY\SYSTEM
- Full control over the machine’s Azure Arc object
- Use of the machine identity’s RBAC permissions
- Modification of cloud-side machine properties
- Access to sensitive data
- Possible lateral impact if the machine’s RBAC permissions affect other cloud resources
- Defense evasion, such as removing Microsoft Defender for Endpoint from the compromised machine
Affected Components
Azure Arc agent services installed on Arc-joined Windows machines:
- Hybrid Instance Metadata Service (HIMDS)
- Guest Configuration Service
- ARC Proxy
Preconditions
The attack requires:
- Low-privileged access to an Azure Arc-joined Windows machine
- The machine running a vulnerable Arc agent version
- A system restart, which the attacker can trigger or wait for
Key Findings
1. Delayed Service Startup Creates a Race Condition
Azure Arc services (HIMDS, Guest Configuration, ARC Proxy) are configured with Delayed Start on Windows.
This allows a low-privileged user to log in and bind to the ports or named pipes that the services plan to use. The attacker can then impersonate the legitimate service and return malicious responses.
2. Non-TLS Communication Between Services
Some internal Arc service communications use HTTP (non-TLS).
Because of this, attackers can impersonate legitimate services and bypass integrity and encryption protections.
3. Weak Identity Verification
The Arc agent uses a dynamic machine identity verification mechanism with insufficient input validation. This allows attackers to manipulate responses and alter the normal execution flow of the services.
