Cyber Resilience

CVE-2026-26117

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26117 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Microsoft Arc Enabled Servers Azure Connected Machine Agent. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26117 is an authentication bypass vulnerability that exploits an alternate path or channel in the Azure Windows Virtual Machine Agent. Published on 2026-03-10, it is associated with CWE-288 and NVD-CWE-Other, carrying a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability affects the Azure Windows Virtual Machine Agent component on impacted systems.

A local attacker with low privileges (PR:L) can exploit this issue with low attack complexity and no user interaction. Exploitation requires local access (AV:L) but enables privilege escalation, granting high impacts on confidentiality, integrity, and availability without changing scope.

The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26117.

EU & UK References

Vulnerability details

Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authentication bypass via alternate path/channel in local Azure VM agent directly enables local privilege escalation (CWE-288, AV:L/PR:L), matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21231Same vendor: Microsoft
CVE-2026-32091Same vendor: Microsoft
CVE-2026-25174Same vendor: Microsoft
CVE-2026-42823Same vendor: Microsoft
CVE-2025-59247Same vendor: Microsoft
CVE-2025-49687Same vendor: Microsoft
CVE-2026-27920Same vendor: Microsoft
CVE-2026-27924Same vendor: Microsoft
CVE-2026-20923Same vendor: Microsoft
CVE-2025-53795Same vendor: Microsoft

Affected Assets

microsoft
arc enabled servers azure connected machine agent
1.0.0 — 1.61

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely identification, reporting, and correction of flaws such as the authentication bypass in CVE-2026-26117 within the Azure Windows Virtual Machine Agent.

prevent

Mandates enforcement of approved authorizations, directly countering the alternate path authentication bypass that enables local privilege escalation.

prevent

Limits the impact of privilege escalation from low-privileged local attackers by restricting the Azure Windows VM Agent to the least privileges necessary.

References