Security News Critical Windows Admin Center Vulnerability Allows Privilege Escalation

[Parkinsond]

Content source

https://cybersecuritynews.com/windows-admin-center-escalation-vulnerability/

A critical security update addressing a high‑severity elevation of privilege vulnerability in Windows Admin Center (WAC), identified as CVE‑2026‑26119.

The flaw, rated CVSS 8.8 (Critical), stems from improper authentication (CWE‑287) that could allow an authorized attacker to gain elevated network privileges.

According to Microsoft, this vulnerability affects Windows Admin Center version 2.6.4, and it was publicly disclosed on February 17, 2026.

The issue allows attackers who already have limited privileges on the system to escalate their access without further user interaction.

Critical Windows Admin Center Vulnerability Allows Privilege Escalation

Microsoft patched an improper authentication flaw in Windows Admin Center that could allow privilege escalation over a network.

cybersecuritynews.com

 

[ForgottenSeer 123960]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1068 (Exploitation for Privilege Escalation) Leveraging the improper authentication flaw to gain higher permissions.

T1078 (Valid Accounts)
The exploit requires the attacker to be "authorized," implying they must first possess valid, low-level credentials.

CVE Profile

ID
CVE-2026-26119

Score
CVSS 8.8 (Critical).

Type
CWE-287 (Improper Authentication).

Telemetry & Indicators

Affected Product
"Windows Admin Center version 2.6.4".

Vector
Network / Local (Post-Compromise). The attacker escalates from limited privileges without user interaction.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3)

GOVERN (GV) & IDENTIFY (ID)

Command
Immediate Asset Audit. Query your software inventory (SCCM/Intune/Tanium) for Windows Admin Center instances. Focus on "Gateway" servers and Jump Boxes.

Command
Verify version numbers. Any instance running v2.6.4 or older is suspect.

RESPOND (RS) & RECOVER (RC)

Command
Patch Immediately. Deploy the official fix released by Microsoft on Feb 17, 2026.

Command
Review "Gateway Users" and "Gateway Administrators" groups on the WAC server.

Command
Analyze WAC event logs for unusual privilege escalation events or unexpected administrative actions originating from low-privileged accounts.

PROTECT (PR)

Command
Enforce "Tiered Administration." WAC should only be accessible from secure admin workstations (PAWs), not general user LANs.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Reality Check

Command
Do not panic. Windows Admin Center is not installed on Windows by default. It is a tool for IT professionals.

Command
If you do not run a "Home Lab" or manage servers, you are likely unaffected.

Hardening & References

Baseline
Ensure WAC is not exposed directly to the internet. Access should be gated behind VPN or Azure AD Proxy.

Reference
Microsoft Security Update Guide / CVE-2026-26119.

Credit
Vulnerability reported by Andrea Pierini (Semperis).

Sources

Microsoft Security Update Guide

Cyber Security News

 

[Victor M]

@Divergent could you publish the KEV too ?

 

[ForgottenSeer 123960]

@Divergent could you publish the KEV too ?

As of February 18, 2026, CVE-2026-26119 has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

While not yet actively exploited, Microsoft has rated the "Exploitability Index" as "Exploitation More Likely" due to the low attack complexity and the value of the target (administrative control).

 

[Jonny Quest]

@Divergent In reading the thread quoted text, knowing this was geared more for IT techs and Admins, who appreciated this article and its warning, I still liked this inclusion in your post

Priority 1: Reality Check

Command
Do not panic. Windows Admin Center is not installed on Windows by default. It is a tool for IT professionals.

Command
If you do not run a "Home Lab" or manage servers, you are likely unaffected.