Microsoft Azure Site Recovery DLL hijacking

Published Tue, Jul 12th, 2022


The Microsoft Azure Site Recovery suite contained a DLL hijacking flaw that allowed for privilege escalation from any low privileged user to SYSTEM on hosts where this service was installed. Incorrect permissions on the cxprocessserver service's executable directory allowed new files to be created in it by any user. Since the service ran automatically and with SYSTEM privileges and attempted to load DLLs from the directory, this allowed for a DLL hijacking / planting attack.

Affected Services

Azure Site Recovery


None required

Tracked CVEs



Disclosure Date
Fri, Apr 8th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
James Sebree, Tenable