top of page

Privilege Escalation Vulnerability in Microsoft Windows Admin Center (CVE-2026-26119)

February 26th, 2026

High

Our Cyber Threat Intelligence Unit is monitoring CVE-2026-26119, a high-severity vulnerability in Microsoft Windows Admin Center (WAC) that was publicly disclosed on February 17, 2026. The vulnerability is categorized as CWE-287 (Improper Authentication) and allows an authorized low-privilege attacker to elevate privileges over a network without requiring user interaction. Windows Admin Center is widely deployed for centralized management of servers, clusters, and hybrid infrastructure, making this issue operationally significant in enterprise environments. Successful exploitation could grant privileges equivalent to the account running the WAC service, which in many deployments may possess extensive administrative rights. Microsoft has not publicly confirmed active exploitation at the time of disclosure. The fix was incorporated into Windows Admin Center version 2511, previously released in December 2025, providing organizations with a clear remediation path.

Technical Details

  • Severity: High

  • CVE: CVE-2026-26119

  • CVSS v3.1 (CNA / Microsoft): 8.8 (High)

  • Affected Products: Microsoft Windows Admin Center versions prior to 2511

  • Attack Vector:

    • The vulnerability is exploitable over the network (AV:N) against vulnerable Windows Admin Center instances.

    • Successful exploitation requires an authenticated attacker with low privileges (PR:L).

    • No user interaction is required (UI:N).

    • Environments where Windows Admin Center is broadly accessible, improperly segmented, or internet-exposed may face elevated risk.

  • Vulnerability Characteristics:

    • CVE-2026-26119 is classified under CWE-287 (Improper Authentication).

    • Microsoft indicates that exploitation could allow an authorized attacker to elevate privileges within the Windows Admin Center context.

    • A successful attack may grant privileges equivalent to the account running the affected application.

Image by ThisisEngineering

Impact

Security Impacts:

  • Privilege Escalation: Attackers may gain elevated control within the Windows Admin Center context, enabling unauthorized administrative actions.

  • Confidentiality Risks: Exposure of sensitive administrative data, credentials, or managed system information may occur.

  • Integrity Risks: Unauthorized modification of system configurations or management settings may be possible.

  • Availability Risks: Abuse of administrative capabilities could disrupt management functions or dependent systems.

  • Lateral Movement Potential: Elevated privileges may facilitate broader access depending on identity architecture and service account permissions.

Operational & Business Risks:

  • Service Disruption: Management infrastructure compromise can affect operational stability and administrative workflows.

  • Regulatory Exposure: Unauthorized access or data compromise may trigger compliance and reporting obligations.

  • Financial & Reputational Damage: Security incidents involving privileged management systems typically carry elevated remediation costs and trust impacts.

Risk Modifiers:

  • The practical severity of this vulnerability depends on:

    • Privilege level of the Windows Admin Center service account

    • Network exposure and segmentation controls

    • Identity and authentication architecture

    • Monitoring and detection capabilities

Detection Method

While Microsoft has not released detailed exploitation telemetry, organizations should adopt defense-in-depth monitoring consistent with WAC’s role and behavior.

  • Monitor for:

    •  Unusual authentication activity involving low-privilege accounts

    • Administrative actions inconsistent with user roles

    • Unexpected Windows Admin Center service behavior

    • Abnormal API or management requests targeting WAC endpoints

    • Suspicious privilege elevation patterns on WAC hosts

    • Unexpected process execution or system changes originating from WAC servers

  • Prioritize visibility into:

    • Windows Security Event Logs

    • EDR / Sysmon telemetry

    • Application and management logs

    • Network and firewall logs

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Apply Security Updates:

    • Immediately update Windows Admin Center to version 2511 or later.

  • Restrict Exposure:

    • Avoid direct internet exposure of Windows Admin Center.

    • Limit access to trusted administrative networks.

    • Enforce network segmentation where feasible.

  • Strengthen Identity Controls:

    • Enforce least-privilege access.

    • Review WAC service account permissions.

    • Implement strong authentication controls, including MFA.

  • Enhance Monitoring:

    • Monitor authentication, privilege escalation, and administrative activity.

    • Correlate endpoint, application, and network telemetry.

    • Investigate anomalous WAC behavior promptly.

  • Operational Hardening:

    • Ensure Windows Admin Center instances run supported builds.

    • Maintain logging and audit integrity.

    • Validate incident response procedures for management infrastructure.

Conclusion

CVE-2026-26119 is a high-severity privilege escalation vulnerability in Microsoft Windows Admin Center arising from improper authentication controls. Although public exploitation has not been confirmed, the network-exploitable nature, low privilege requirements, and absence of user interaction elevate organizational risk. Organizations should prioritize patching Windows Admin Center to version 2511 or later, restrict exposure of the management interface, and maintain heightened monitoring for anomalous administrative behavior. Proactive remediation and defense-in-depth controls remain critical to reducing the likelihood and impact of compromise.

bottom of page