CVE-2025-59504 - Azure Monitor Agent Heap Overflow (Upgrade Now)

CVE-2025-59504 is a heap-based buffer overflow in Azure Monitor Agent (AMA) that allows arbitrary code execution locally (AV:L) without prior privileges or user interaction (PR:N/UI:N), CVSS 7.3. Microsoft labels exploitation as unlikely and provides an official fix (1.37.1+). Despite “Important” severity, AMA’s broad deployment on Windows servers/VMs makes hygiene critical (T1203/T1059 for post-local execution chains). Mechanism: vulnerable memory handling in AMA can crash monitoring services or enable local ACE in chained attack paths, degrading visibility and availability (A:H). Attackers with footholds may leverage this to disable logging and EDR telemetry before further actions on objectives. Business risk: loss of observability and tamper risk to monitoring/logging pipelines used for audit and incident response. While not remotely exploitable per CVSS vector, pairing with initial access or local privilege escalation can increase impact. Mitigation: upgrade AMA extension to 1.37.1 or later; monitor for service crashes and unexpected restarts; enforce application control and device guard on monitoring binaries; and restrict local execution on monitoring hosts. Validate extension versions across Azure at scale.