Azure Arc-enabled Kubernetes privilege escalation

Published Tue, Oct 11th, 2022


Azure Arc allows customers to connect on-premises Kubernetes clusters to Azure. This is facilitated by middleware (the Azure Arc-enabled Kubernetes agent) which includes a "cluster connect" feature in the form of a reverse proxy. A vulnerability in this feature could allow an unauthenticated user to elevate their privileges and potentially gain remote administrative control over any Azure Arc-enabled cluster, as long as they know its randomly generated external DNS endpoint. Azure Stack Edge devices are also affected, because the service supports deployment of Kubernetes workloads via Azure Arc.

Affected Services

Azure Arc, Azure Stack Edge


For Azure Arc customers using auto-upgrade (which is enabled by default), no action is required. Otherwise, the Azure Arc-enabled Kubernetes agent must be updated to versions 1.5.8, 1.6.19, 1.7.18 or 1.8.11 (see link to instructions in references). Azure Stack Edge customers must update to the 2209 release (software version 2.2.2088.5593).

Tracked CVEs



Disclosure Date
Tue, Oct 11th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Mo Khan, Microsoft