Critical Privilege Escalation in Windows Admin Center (CVE-2026-26119)
Microsoft disclosed and patched a critical elevation-of-privilege vulnerability in Windows Admin Center (WAC) tracked as CVE-2026-26119. The issue is caused by improper authentication (CWE-287) and is rated CVSS 8.8 with a network attack vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with low/limited existing privileges could exploit the flaw over the network to gain elevated privileges equivalent to the user context running WAC, which is particularly high impact given WAC’s role in centralized administration of Windows servers.
Microsoft’s advisory indicates the vulnerability was newly published in its Security Update Guide and is addressed via an official Windows Admin Center security update; organizations are advised to apply the update promptly. Public reporting also notes Microsoft has not observed active exploitation at the time of disclosure, but assesses exploitation as more likely due to low attack complexity and typical enterprise exposure of WAC deployments; no public PoC was noted. Microsoft credited Andrea Pierini (Semperis) for responsible disclosure.
Timeline
Feb 17, 2026
Microsoft issues February 2026 security update guidance for CVE-2026-26119
On the same day as public disclosure, Microsoft released security update guidance highlighting that the flaw affects Windows Admin Center 2.6.4 and urging administrators to apply the available update. Public reporting noted the vulnerability's CVSS 8.8 severity and potential for broad administrative impact in enterprise environments.
Feb 17, 2026
Microsoft publicly discloses CVE-2026-26119 and publishes advisory
Microsoft publicly acknowledged CVE-2026-26119 in its Security Update Guide, describing it as a high-severity Windows Admin Center elevation-of-privilege vulnerability. Microsoft rated exploitation as more likely and reported no evidence of active exploitation at disclosure time.
Dec 1, 2025
Microsoft fixes CVE-2026-26119 in Windows Admin Center version 2511
Microsoft addressed CVE-2026-26119 in Windows Admin Center version 2511, released in early December 2025. The fix remediated the improper authentication issue affecting Windows Admin Center deployments.
Jul 1, 2025
Semperis researcher discovers Windows Admin Center flaw
Andrea Pierini of Semperis discovered the improper authentication vulnerability in Windows Admin Center later assigned CVE-2026-26119. The flaw could allow an already authorized low-privilege user to elevate privileges over the network.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
3 more from sources like cyberpress org, cyber security news and msrc security advisories
Related Stories
Windows Admin Center flaws exposed hybrid Azure and on-prem environments to takeover
Researchers disclosed multiple vulnerabilities in Microsoft **Windows Admin Center (WAC)** that could let attackers compromise hybrid environments spanning **Azure** and on-premises infrastructure. Cymulate said one exploit chain enabled **unauthenticated, one-click remote code execution** when a victim visited a malicious URL, combining response-based cross-site scripting, insecure redirect handling, and insecure credential storage to steal credentials, run arbitrary **PowerShell** commands, and capture Azure tokens. The issues affected both Azure-integrated and on-prem deployments, with the most severe risk falling on self-managed on-prem WAC instances that could be used to execute commands on managed servers and pivot into cloud resources. Additional flaws presented at Black Hat Asia were tracked as **`CVE-2025-64669`**, **`CVE-2026-20965`**, **`CVE-2026-23660`**, and **`CVE-2026-32196`**, including a non-write-protected on-prem WAC directory and weaknesses in proof-of-possession token validation that could allow token reuse or forgery and takeover of tenant VMs. Microsoft said Azure-managed instances received server-side fixes after responsible disclosure, and the company has patched the broader set of vulnerabilities with no evidence of active exploitation. Researchers urged organizations to update on-prem WAC immediately, remove outdated exposed instances, and treat both cloud and on-prem management planes as **tier-zero assets** because WAC can serve as a bidirectional path between the two environments.
1 weeks ago
Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-26132)
Microsoft published details for **CVE-2026-26132**, an **Important** severity **Windows Kernel** *elevation of privilege* vulnerability caused by **CWE-416 (use-after-free)**. The issue is scored **CVSS 3.1: 7.8** with vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating exploitation requires **local access** and **low complexity**, with **low privileges required** and **no user interaction**, and could result in high impact to confidentiality, integrity, and availability. Microsoft’s Security Update Guide entry provides standard machine-consumable references (e.g., *PowerShell*, *API*, and *CSAF* links) for tracking and patch management. No additional exploitation details, in-the-wild exploitation confirmation, or public proof-of-concept information is included in the provided material beyond the vulnerability classification and scoring.
1 months ago
Microsoft Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-24289)
Microsoft published guidance for **CVE-2026-24289**, an **Important** severity **Windows Kernel elevation of privilege** vulnerability caused by **CWE-416 (use-after-free)**. Microsoft scored the issue with **CVSS 3.1: 7.8** (vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`), indicating exploitation requires **local** access with **low** attack complexity and **low privileges**, and could result in high impact to confidentiality, integrity, and availability if successfully exploited. The Security Update Guide entry provides standard Microsoft consumption options (e.g., *PowerShell*, API, CSAF) for tracking and integrating the advisory into vulnerability management workflows. The two provided references are effectively duplicate MSRC pages for the same CVE (one localized under `/en-US/`) and do not add distinct technical details beyond the vulnerability classification and scoring.
1 months ago