CVE-2026-40381 Microsoft CVE debrief

Who should care

Organizations using Azure Arc to manage on-premises, multi-cloud, or edge servers through the Azure Connected Machine Agent. System administrators responsible for Azure Arc deployments and security teams monitoring for privilege escalation risks in hybrid cloud environments.

Technical summary

The Azure Connected Machine Agent, used for Azure Arc-enabled servers, contains an improper access control vulnerability that permits authenticated local attackers to escalate privileges. The flaw exists in versions prior to 1.63 and can be exploited without user interaction. The agent runs with elevated privileges to manage server connectivity to Azure, and insufficient access controls on certain operations allow low-privileged users to execute actions with higher privileges. The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects significant risk for multi-user systems where non-administrative access is granted.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Azure Connected Machine Agent to version 1.63 or later
• Audit systems for installations of Azure Connected Machine Agent prior to version 1.63
• Review local user access controls on systems running the Azure Connected Machine Agent
• Monitor for anomalous privilege escalation attempts on affected systems prior to patching
• Apply principle of least privilege for local user accounts on Azure Arc-enabled servers

Evidence notes

The vulnerability is confirmed in NVD with vulnStatus 'Analyzed'. CPE criteria indicate affected versions are all versions prior to 1.63 of the Azure Connected Machine Agent. The CVSS 3.1 vector confirms local attack vector with high impact across all three security dimensions.

Official resources