Azure Arc: From a Heartbeat to Heart Attack
Sharan Patil
fwd:cloudsec Europe 2025 · Day 1 · Main Room
Sharan Patil, a security consultant at **Reversec** (formerly F-Secure, formerly MWR), presented original exploit research demonstrating how an attacker with local access to an **Azure Arc**-enrolled server can hijack the machine's enrollment, transferring it to an attacker-controlled Azure tenant — without compromising the original tenant. The attack exploits a lack of metadata validation in the Azure Arc extension service, combined with the ability to crash and impersonate the **Hybrid Instance Metadata Service (HIMDS)**. Patil disclosed a CVE (still in pre-release) that was pseudo-patched in Azure Arc agent version 1.53, and demonstrated how Azure Arc can serve as an effective command-and-control channel using Microsoft-signed binaries.
AI review
Real vulnerability research with a novel attack chain against Azure Arc — hijacking a server's tenant enrollment through metadata substitution and HIMDS impersonation. The combination of missing validation, HTTP plaintext communication, and SYSTEM-level extension execution creates a devastating local-to-cloud lateral movement path. This is the kind of hybrid attack surface research the industry needs.