CVE ID: CVE-2026-26119
Severity: Critical
CVSS Score: 8.8
Product Affected: Windows Admin Centre
Versions Affected: 2.6.4
A newly disclosed vulnerability (CVE-2026-26119) affects Windows Admin Center (WAC) and could allow an authenticated user to escalate privileges on the management host. Because WAC is typically deployed on highly trusted administrative systems, this issue carries significant risk in enterprise environments.
Technical Details
Vulnerability Type: Improper authentication (CWE-287)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: Full privilege escalation, potentially leading to system compromise and lateral movement across managed systems.
The vulnerability stems from improper authentication and session validation within Windows Admin Centre. In practical terms, a user who already has low level access to the system could abuse this flaw to gain administrative privileges on the host running WAC. However, in environments where multiple administrators have WAC access, or where credentials are reused or exposed, this becomes a serious lateral-movement opportunity. Microsoft has rated exploitation as “more likely,” which means organizations should treat this as a priority patching item rather than a theoretical concern.
Impact
Windows Admin Center is not just another application; it isa centralized management plane. From a single WAC instance, administrators can manage:
· Windows Servers
· Failover clusters
· Hyper-V hosts and VMs
· Azure-connected resources
· Storage and networking configurations
If an attacker compromises the WAC host, they may effectively gain control over every system it manages. Which makes this vulnerability particularly dangerous in environments where WAC runs on shared or insufficiently hardened infrastructure.
If successfully exploited, this vulnerability could allow:
· Elevation to administrative privileges
· Execution of arbitrary commands
· Unauthorized configuration changes
· Access to sensitive infrastructure components
· Lateral movement across the environment
Mitigation & Remediation
1. Apply Security Updates Immediately: Install Microsoft’s February 2026 security update that contains the patch for CVE-2026-26119.
2. Restrict Access to Management Hosts: Limit who can log into WAC hosts. Run management hosts on dedicated infrastructure isolated from general user workstations.
3. Harden File System Permissions: Ensure critical WAC directories are not writable by non-privileged users.
4. Audit and Monitor: Enable and review logs for unusual events like
· PowerShell execution from WAC processes
· Unexpected process elevations
· Modified system files or DLLs in WAC paths
5. Incident Response Preparations: Where there’s suspicion of prior exposure, consider rotating credentials, service tokens, certificates and session keys used by WAC.
.png)
.png)