Azure Arc Windows Agent CVE-2026-26117 Lets Low-Privilege Users Escalate to SYSTEM and Seize Cloud-Managed Identity

A local privilege escalation vulnerability in the Azure Arc Connected Machine Agent for Windows — the software that enrols on-premises and multi-cloud Windows servers into Microsoft’s hybrid cloud management plane — allows an attacker with standard domain user credentials to escalate to SYSTEM-level privileges and, critically, to exfiltrate or use the machine’s Azure managed identity token. That token, once obtained, can be used to authenticate to any Azure resource that the Arc-enrolled machine has been granted access to.

The flaw, CVE-2026-26117 (CVSS 7.8, HIGH), was discovered by Cymulate researchers and disclosed to Microsoft’s Security Response Centre under coordinated vulnerability disclosure. A patch was issued in the Azure Arc Windows agent version 1.39.

The Vulnerability Chain

Azure Arc’s Windows agent runs a local service (himds.exe) that vends managed identity tokens to processes running on the machine. Access to this token endpoint is intended to be restricted to processes running at elevated privilege levels. However, CVE-2026-26117 involves a race condition and insufficient access control on a named pipe used for internal agent communication.

By racing the named pipe connection timing during agent service startup or a periodic metadata refresh cycle, an unprivileged user-mode process can gain a handle to the pipe before the access control list is properly applied. Through this handle, the attacker can request a managed identity access token from the Azure Instance Metadata Service (IMDS) proxy — the same token that legitimate SYSTEM-level services use to authenticate to Azure.

The exploit sequence documented by Cymulate:

1. Attacker authenticates to the Windows host with any domain user account
2. Monitors for agent service startup or metadata refresh events using system event tracing
3. Races the named pipe to obtain an unprotected handle
4. Issues a managed identity token request through the handle
5. Receives a valid short-lived Azure AD access token scoped to the machine identity
6. Uses the token directly against Azure Management API, Azure Key Vault, or any Azure resource the machine identity can access

Scope of Exposure

The practical impact extends well beyond local privilege escalation on the affected host. In typical enterprise Arc deployments:

• Arc-enrolled servers are granted Azure RBAC roles — commonly Contributor on resource groups, Key Vault Secrets User, or Log Analytics Contributor — to enable Azure Monitor, Defender for Cloud, and Automanage integration.
• A managed identity token for a high-value server (a domain controller, a secrets management server, or a backup target enrolled in Arc) provides Azure-plane access to potentially sensitive resources.
• The token’s default lifetime is one hour, providing an attacker with a persistence-free but usable access window without triggering conventional credential theft detection.

Environments that have enrolled Arc on sensitive servers with broad Azure RBAC role assignments are at greatest risk.

Recommended Actions

• Update Azure Arc Windows agent to version 1.39 or later — Microsoft has published the update through Microsoft Update and Arc policy-based automatic update. Verify via azcmagent version on enrolled hosts.
• Audit Arc machine identity role assignments — in the Azure portal, review each Arc-enrolled server’s RBAC role assignments (Identity → Azure role assignments); revoke roles that exceed minimum operational requirements.
• Implement Azure IMDS access logging — Arc managed identity token requests do not generate verbose audit events by default; enable Azure Monitor diagnostic settings on key vaults and resource groups to log getSecret and listKeys operations by managed identity callers.
• Review Arc enrolment scope — evaluate whether high-sensitivity servers (domain controllers, PKI infrastructure, PAM systems) should be enrolled in Arc at all; the management benefit must be weighed against the expanded attack surface.
• Harden named pipe permissions — for hosts that cannot immediately patch, consult Microsoft’s workaround guidance; temporary access control changes to the relevant himds named pipe can mitigate the race condition.