CVE Alert: CVE-2025-49692 – Microsoft – Azure Connected Machine Agent

Risk verdict

High-severity local privilege escalation risk with no active exploitation indicators detected; patch potential should be treated with urgency on affected hosts.

Why this matters

An attacker who already has local access can elevate privileges and gain full control of the host, enabling data exposure, tampering, or persistence. In environments with Azure Arc-enabled or on-premises Windows VMs, widespread footholds could enable broader compromise of a fleet if left unpatched.

Most likely attack path

Exploitation requires local access and low-privilege credentials, with no user interaction needed. Once triggered, code execution at SYSTEM level is possible within the host, increasing the chance of persistent damage. Lateral movement is not guaranteed by this flaw alone, but privilege escalation on a trusted machine can facilitate further abuse or data exfiltration if defenders fail to detect the escalation.

Who is most exposed

Devices enrolled in Azure Connected Machine/Arc deployments, especially on Windows hosts with users or processes that may interact with the agent, are most at risk. Organisations with broad on-premises estates and delayed patching cycles are particularly vulnerable.

Detection ideas

• Monitor for unexpected privilege escalations or changes to the agent service/process.
• Look for abnormal creation or modification of processes spawned by the agent.
• Audit privilege- elevation attempts on machines running the affected agent.
• Correlate unusual logon activity with elevated rights on host endpoints.
• Flag attempts to modify agent binaries or config files.

Mitigation and prioritisation

• Patch to version 1.49 or later immediately; apply the official update across affected hosts.
• Enforce least privilege for the agent account; restrict local admin usage.
• Enable endpoint telemetry/EDR rules covering privilege escalation, service changes, and new unsigned driver/process activity.
• Consider disabling or isolating the agent on non-essential hosts until patched.
• Change-management: schedule coordinated rollout with testing in a staging group; verify compatibility with critical workloads. If KEV or EPSS evidence becomes available, escalate to Priority 1.