CVE-2024-49060: Azure Stack HCI Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2024-Nov

Released

2024-11-15

Last Updated

2025-06-15

EPSS Score

1.22% (percentile: 79.1%)

FAQ

What actions should I take to be protected from this vulnerability? Customers must perform the following to mitigate this vulnerability: Update Azure Stack HCI resources to version 2411. Instructions on how to update can be found here. Rotate the administrator and user account passwords for all Azure Arc VMs deployed prior to updating the Azure Stack HCI instance to version 2411. Instructions on how to update these passwords can be found here. The CVSS score for this vulnerability rates Scope as Changed (S:C). What does this mean? The vulnerability is found within a component of the Azure Stack HCI cluster, but exploitation impacts Azure Arc VMs. The CVSS score for this vulnerability rates Attack Vector as Local (AV:L). What does this mean? Successful exploitation of this vulnerability requires an authenticated attacker to access the target Azure Stack HCI cluster, which could be performed through a remote desktop session or SSH.

Affected Products (1)

Azure

• Azure Stack HCI OS 23H2

Security Updates (1)

• Release Notes

Acknowledgments

Jeff Li, Alex Naparu, Kerim Hanif, Bryan Mathew

Revision History

• 2024-11-15: Information published.
• 2025-06-15: Updated the build numbers. This is an informational update only.