Kroll’s Offensive Security Team recently discovered a new vulnerability within Microsoft’s Azure Monitor Agent Metrics Extension, which demonstrates how subtle configuration issues can introduce significant security risks in widely deployed infrastructure components.
This vulnerability stemmed from insecure handling of the OPENSSLDIR configuration in the OpenSSL component packaged with the Metrics Extension module, ultimately enabling arbitrary code execution with elevated privileges. Classified as CVE-2026-42830, the following article describes the path to discovery and mitigation.
Path to Discovery
During a purple team engagement, in which red teams and Cyber Security Operations Centre professionals work together to improve resilience, Kroll’s red team identified the vulnerability.
Following responsible disclosure practices, Kroll notified the client and Microsoft of the vulnerability, through the Microsoft Security Response Center (MSRC). The vulnerability was patched as part of Microsoft’s May 2026 Patch Tuesday release on May 12, 2026, and was assigned as CVE-2026-42830.
Timeline:
- Dec 4, 2025 – Detailed vulnerability report submitted to MSRC
- Dec 4, 2025 – Acknowledgement received and case opened by MSRC
- Jan 31, 2026 – Kroll follows up on the status of the investigation
- Feb 3, 2026 – MSRC responds that the issue is under active investigation
- May 1, 2026 – Kroll follows up requesting an update on status of investigation
- May 5,2026 – MSRC confirms reported behaviour and ongoing work on the fix
- May 12, 2026 – MSRC releases a fix as part of the May 2026 Security Update
- June 30, 2026 – Public disclosure published by the Kroll Red Team
Vulnerability Overview: Azure Monitor Agent Metrics Extension
Affected Component: Azure Monitor Agent Metrics Extension
Severity: Important (Elevation of Privilege)
Affected Versions: 1.0.0 through 1.42.0
Mitigation: All affected organizations should apply the security update as soon as possible. For further advice and support, please contact our team.
Azure Monitor Agent is a Microsoft component used to collect monitoring and telemetry data from the guest operating systems of Azure and hybrid virtual machines. The collected data feeds into services such as Azure Monitor, where it can be utilized by various services and features, including Microsoft Sentinel and Microsoft Defender for Cloud.
The vulnerability was identified in Metrics Extension, a component distributed with Azure Monitor Agent. Specifically, the system contained a privilege escalation vulnerability caused by the unsafe use of the OPENSSLDIR variable, which referenced a non-existent location writable by unprivileged Windows users. By placing a specially crafted openssl.cnf file in that directory, a local unprivileged user could achieve arbitrary code execution with NT AUTHORITY\SYSTEM privileges.
Vulnerability Testing
Prior to version 1.42.0, Azure Monitor Agent (AMA) was vulnerable to an Elevation of Privilege (EoP) issue that allowed low-privilege users to escalate privileges by placing a malicious openssl.cnf file in a location writable by unprivileged users, with content similar to the following:
Figure 1: openssl.cnf configuration example.
Figure 2: Process Monitor trace showing the application attempting to load a missing openssl.cnf file.
The application loads the openssl.cnf file during startup, along with a specified DLL, as part of the OpenSSL initialization process. This behaviour can be abused to achieve arbitrary code execution.
For demonstration purposes, the Kroll Offensive Security Team created a proof-of-concept (PoC) DLL that executes a simple whoami command and writes the output to a file.
At system startup, the DLL is loaded by MetricsExtension.Native.exe binary and the DLL’s code is executed with SYSTEM privileges.
Figure 3: Verification with Process Monitor
Figure 4: Creation of the whoami.txt file under SYSTEM privileges.
Accelerate Your Resilience with Kroll
Kroll's approach to red teaming and purple teaming ensures a clear, real-world view of your security posture and provides an actionable strategy with quickly recognizable benefits. A red team operation from Kroll goes beyond the limitations of traditional security testing by rigorously challenging the effectiveness of security controls, personnel and processes in detecting and responding to highly targeted attacks. Our team evaluates your organization’s response to an attack, helping you identify and classify security risks, uncover hidden vulnerabilities and address identified exposures.
As one of the largest incident response providers in the world, Kroll handles thousands of incidents worldwide every year. This unrivaled expertise allows us to collect actionable frontline threat intelligence and adapt the latest tactics, techniques and processes to incorporate in our red team operations. Our team serves clients in 140 countries across six continents, spanning nearly every industry. In addition to our extensive threat intelligence, Kroll’s team of ethical hackers possesses the skills and experience to identify and leverage the latest threats while rigorously assessing your defensive controls.
Red team security services can be included as part of Kroll’s user-friendly Cyber Risk Retainer, along with a variety of valuable cybersecurity solutions such as tabletop exercises, risk assessments, cloud security services and more.
Discover Our Red Teaming Services
References
CVE.org, CVE-2026-42830 https://www.cve.org/CVERecord?id=CVE-2026-42830 https://nvd.nist.gov/vuln/detail/CVE-2026-42830
Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42830
