CVE-2026-26117

HIGH

Azure Windows Virtual Machine Agent - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-26117. PoCs published by j-dahl7.

AI-analyzed exploit summary This repository provides a detailed detection lab for CVE-2026-26117, focusing on Azure Arc identity takeover and subsequent cloud-based C2 techniques. It includes PowerShell scripts for deploying infrastructure and simulating attacks, along with Sentinel analytics rules for detection.

Description

Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.

Exploits (1)

nomisec WRITEUP
by j-dahl7 · poc
https://github.com/j-dahl7/arc-cloud-c2-sentinel

This repository provides a detailed detection lab for CVE-2026-26117, focusing on Azure Arc identity takeover and subsequent cloud-based C2 techniques. It includes PowerShell scripts for deploying infrastructure and simulating attacks, along with Sentinel analytics rules for detection.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Azure Arc, Azure Blob Storage, Azure Key Vault
Auth required
Prerequisites: Azure subscription with Microsoft Sentinel enabled · PowerShell 7.0+ with Azure CLI · Contributor and Microsoft Sentinel Contributor roles
devstral-2 · analyzed Mar 15, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0044
EPSS Percentile 34.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-288
Status published
Products (2)
Microsoft/Arc Enabled Servers - Azure Connected Machine Agent 1.0.0 - 1.61
microsoft/arc_enabled_servers_azure_connected_machine_agent 1.0.0 - 1.61
Published Mar 10, 2026
Tracked Since Mar 11, 2026