Still shows vulnerabilities in microsoft.azure.monitor.azuremonitorwindows agent 1.42.0.0

Hello Liaqat Ali,

Thank you for reaching out to the Microsoft Q&A forum. 

When investigated we see that this is a known side-effect of how the Windows Azure Monitor Agent (azuremonitorwindowsagent) currently bundles OpenSSL 3.x, and Defender is surface-scanning those DLLs (libcrypto-3-x64.dll and libssl-3-x64.dll) against CVEs CVE-2025-9230/9231/9232. Here’s what you can do today and what to expect going forward:

1. Why you’re still seeing it – The 1.42.0.0 version of the Azure Monitor Agent for Windows ships with OpenSSL 3.0.13, which contains the CVEs you’re seeing. – The engineering team has already fixed these vulnerabilities in the next Windows extension release (planned in an upcoming 1.4x build), but that update hasn’t gone live yet.
2. Short-term mitigation in Defender Until the patched agent version is generally available, you can suppress/accept these findings in Defender for Cloud (or Defender for Endpoint vulnerability management) so they don’t continue to show up as open risks:

In Defender for Cloud

Go to Security → Environment settings → your subscription → Vulnerability exceptions.

Click “Add exception” and enter:

• CVE IDs: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232
• File path pattern: c:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\1.42.0.0*\libcrypto-3-x64.dll c:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\1.42.0.0*\libssl-3-x64.dll
• Save the exception; Defender will stop flagging those files.

On-host Defender Exclusions (if you’re only using Defender for Endpoint or local Windows Defender) From an elevated PowerShell session on each VM, run:

# Exclude the two OpenSSL DLLs

Set-MpPreference -ExclusionPath "C:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\1.42.0.0\monitoring\agent\extensions\metricsextension\libcrypto-3-x64.dll"

Set-MpPreference -ExclusionPath "C:\packages\plugins\microsoft.azure.monitor.azuremonitorwindowsagent\1.42.0.0\monitoring\agent\extensions\metricsextension\libssl-3-x64.dll"

1. Long-term remediation Watch the Agent release notes for the “next Windows extension, v1.4x” where the OpenSSL libraries will be upgraded to a CVE-free version. As soon as that extension version is published, simply update your Azure Monitor Agent to eliminate the findings entirely.

Let me know if any further queries - feel free to reach out.

 References

1. Vulnerable version of OpenSSL on Azure Monitor extension https://supportability.visualstudio.com/AzureMonitor/_wiki/wikis/AzureMonitor.wiki/2601130050003562
2. OpenSSL vulnerability in Azure Agent (fix planned in 1.42) https://supportability.visualstudio.com/AzureMonitor/_wiki/wikis/AzureMonitor.wiki/2603250010002053
3. Defender for Cloud – Servers Vulnerability Assessment https://learn.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm
4. Azure Connected Machine Agent release notes (to track future OpenSSL fixes) https://learn.microsoft.com/azure/azure-arc/servers/agent-release-notes-archive#version-143---june-2024

Hello Liaqat Ali,

Greetings!

Thanks for raising this question in Q&A forum.

This is a very common and understandably frustrating situation. What's happening here is that the OpenSSL libraries (libcrypto-3-x64.dll and libssl-3-x64.dll) bundled inside the Azure Monitor Windows Agent (AMA) version 1.42.0.0 contain known vulnerabilities. These DLLs are shipped and managed by Microsoft as part of the agent itself — meaning you cannot patch them independently through Windows Update. The fix has to come from Microsoft in the form of a newer agent version.

Here's what you can do right now:

Step 1: Confirm Your Current Agent Version On your VMs, open PowerShell and run the following to see which version of the AMA extension is installed:

Get-AzVMExtension -ResourceGroupName "<your-rg>" -VMName "<your-vm>" | Where-Object { $_.Name -like "*AzureMonitor*" }

Confirm it shows version 1.42.0.0 and note it for your records.

Step 2: Upgrade the Azure Monitor Agent to the Latest Version Microsoft regularly releases updated AMA versions that include patched OpenSSL libraries. You should upgrade the agent to the latest available version. You can do this from the Azure Portal:

• Go to Azure Portal → Virtual Machines → select your VM
• Click on Extensions + Applications
• Find AzureMonitorWindowsAgent and click on it
• If an update is available, click Update

Alternatively, trigger an upgrade via Azure Policy by assigning the built-in policy "Configure Windows machines to run Azure Monitor Agent" with auto-upgrade enabled.

Step 3: Enable Automatic Extension Upgrades To prevent this from happening again, enable automatic extension upgrades on your VMs so that the AMA is always kept up to date by Azure automatically. Run this in PowerShell:

Set-AzVMExtension -ResourceGroupName "<your-rg>" `
  -VMName "<your-vm>" `
  -Name "AzureMonitorWindowsAgent" `
  -EnableAutomaticUpgrade $true

Step 4: Add a Mitigation Note in Defender for Cloud Since you asked specifically about mitigation in Defender — if the vulnerability is still showing after the upgrade (due to scan delay), you can add a justification in Defender for Cloud:

• Go to Microsoft Defender for Cloud → Recommendations
• Find the vulnerability related to the OpenSSL DLLs
• Click on the affected resource, then select "Exempt" or "Add mitigation note"
• State that the fix is owned by Microsoft and is pending an agent update release, with your ticket reference

Step 5: If Version 1.42.0.0 Is the Latest, Raise a Support Ticket If you check and 1.42.0.0 is indeed the most current version available, this means Microsoft has not yet released a patched agent build. In that case, you should raise an Azure Support ticket referencing the specific CVEs flagged by Defender, the DLL paths, and agent version. This also signals to the product team that customers are blocked, which can help prioritize a release.

If this answer helps you kindly accept the answer which will help others who have similar questions.

Best Regards, Jerald Felix.Hello Liaqat Ali, Greetings! Thanks for raising this question in Q&A forum.

This is a very common and understandably frustrating situation. What's happening here is that the OpenSSL libraries (libcrypto-3-x64.dll and libssl-3-x64.dll) bundled inside the Azure Monitor Windows Agent (AMA) version 1.42.0.0 contain known vulnerabilities. These DLLs are shipped and managed by Microsoft as part of the agent itself — meaning you cannot patch them independently through Windows Update. The fix has to come from Microsoft in the form of a newer agent version.

Here's what you can do right now:

Step 1: Confirm Your Current Agent Version On your VMs, open PowerShell and run the following to see which version of the AMA extension is installed:

Get-AzVMExtension -ResourceGroupName "<your-rg>" -VMName "<your-vm>" | Where-Object { $_.Name -like "*AzureMonitor*" }

Confirm it shows version 1.42.0.0 and note it for your records.

Step 2: Upgrade the Azure Monitor Agent to the Latest Version Microsoft regularly releases updated AMA versions that include patched OpenSSL libraries. You should upgrade the agent to the latest available version. You can do this from the Azure Portal:

• Go to Azure Portal → Virtual Machines → select your VM
• Click on Extensions + Applications
• Find AzureMonitorWindowsAgent and click on it
• If an update is available, click Update

Alternatively, trigger an upgrade via Azure Policy by assigning the built-in policy "Configure Windows machines to run Azure Monitor Agent" with auto-upgrade enabled.

Step 3: Enable Automatic Extension Upgrades To prevent this from happening again, enable automatic extension upgrades on your VMs so that the AMA is always kept up to date by Azure automatically. Run this in PowerShell:

Set-AzVMExtension -ResourceGroupName "<your-rg>" `
  -VMName "<your-vm>" `
  -Name "AzureMonitorWindowsAgent" `
  -EnableAutomaticUpgrade $true

Step 4: Add a Mitigation Note in Defender for Cloud Since you asked specifically about mitigation in Defender — if the vulnerability is still showing after the upgrade (due to scan delay), you can add a justification in Defender for Cloud:

• Go to Microsoft Defender for Cloud → Recommendations
• Find the vulnerability related to the OpenSSL DLLs
• Click on the affected resource, then select "Exempt" or "Add mitigation note"
• State that the fix is owned by Microsoft and is pending an agent update release, with your ticket reference

Step 5: If Version 1.42.0.0 Is the Latest, Raise a Support Ticket If you check and 1.42.0.0 is indeed the most current version available, this means Microsoft has not yet released a patched agent build. In that case, you should raise an Azure Support ticket referencing the specific CVEs flagged by Defender, the DLL paths, and agent version. This also signals to the product team that customers are blocked, which can help prioritize a release.

If this answer helps you kindly accept the answer which will help others who have similar questions.

Best Regards,

Jerald Felix.