プラットフォーム
azure
コンポーネント
azure-monitor-agent
修正版
1.35.1
CVE-2025-47988 describes a Remote Code Execution (RCE) vulnerability within the Azure Monitor Agent. This flaw, stemming from improper code generation control (code injection), allows an unauthorized attacker to execute arbitrary code over an adjacent network. The vulnerability impacts versions 1.0.0 through 1.35.1 of the agent, and a fix is available in version 1.35.1.
The impact of CVE-2025-47988 is severe due to its RCE nature. An attacker who can access the network where the Azure Monitor Agent is deployed can exploit this vulnerability to execute malicious code on the affected system. This could lead to complete system compromise, data exfiltration, and potentially lateral movement within the Azure environment. The adjacent network requirement limits the immediate scope, but it still represents a significant risk, particularly in environments with relaxed network segmentation. Successful exploitation could allow an attacker to install persistent backdoors, steal sensitive data stored by the agent, or disrupt monitoring operations.
CVE-2025-47988 was publicly disclosed on 2025-07-08. The vulnerability's EPSS score is pending evaluation, but the RCE nature suggests a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation inherent in code injection vulnerabilities makes it likely that a PoC will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations heavily reliant on Azure Monitor Agent for log collection and performance monitoring are particularly at risk. Environments with less stringent network segmentation or those that allow external access to the Azure network are also more vulnerable. Shared hosting environments utilizing Azure Monitor Agent should be assessed for potential cross-tenant impact.
• azure: Monitor Azure activity logs for processes spawned by the Azure Monitor Agent that are not part of its normal operation.
Get-AzActivityLog -ResourceGroupName 'your_resource_group' -Search 'AzureMonitorAgent' -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.OperationName -like '*Process*'} | Select-Object TimeCreated, OperationName, ResourceId• azure: Check for unusual network connections originating from the Azure Monitor Agent.
Get-NetTCPConnection -LocalPort 443 | Where-Object {$_.State -eq 'Established'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort• generic web: Monitor access logs for requests targeting the Azure Monitor Agent endpoint with unusual parameters or payloads. Look for patterns indicative of code injection attempts.
disclosure
エクスプロイト状況
EPSS
0.10% (27% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-47988 is to upgrade the Azure Monitor Agent to version 1.35.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing network segmentation to restrict access to the agent from untrusted networks. Review and strengthen network security policies to limit lateral movement. While a WAF or proxy cannot directly prevent this code injection, they can help detect and block suspicious network traffic associated with exploitation attempts. Monitor Azure activity logs for unusual processes or network connections originating from the agent.
Actualice Azure Monitor Agent a la versión 1.35.1 o posterior. Esto solucionará la vulnerabilidad de ejecución remota de código. Consulte el advisory de Microsoft para obtener más detalles e instrucciones específicas.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-47988 is a Remote Code Execution vulnerability in Azure Monitor Agent versions 1.0.0–1.35.1, allowing attackers to execute code over an adjacent network due to improper code generation control.
If you are using Azure Monitor Agent versions 1.0.0 through 1.35.1 and have adjacent network access, you are potentially affected by this vulnerability.
Upgrade Azure Monitor Agent to version 1.35.1 or later to remediate the vulnerability. Consider network segmentation as a temporary workaround.
While no public exploits are currently known, the RCE nature of the vulnerability suggests a high likelihood of exploitation.
Refer to the official Microsoft Security Update Guide for details: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47988](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47988)