High

Privilege Escalation in Windows Admin Center

IdentifiersCVE-2026-26119CWE-287· Improper Authentication

CVE-2026-26119 is an improper authentication vulnerability in Microsoft Windows Admin Center (WAC), the browser-based management platform for administering Windows systems. Microsoft describes the issue as allowing an authorized attacker to elevate privileges over a network. Public reporting and researcher commentary indicate the flaw affected the HTTP service used by Windows Admin Center and, under certain conditions, could be abused as an authentication reflection issue against WAC’s web interface. More detailed reporting attributes the finding to Andrea Pierini of Semperis and states that exploitation involved weaknesses in how WAC authenticated requests to privileged management endpoints, enabling an attacker with valid low-privilege access to obtain the rights of the user context running the affected application. Microsoft patched the issue in Windows Admin Center version 2511, released in December 2025.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an already authorized attacker to elevate privileges over the network and obtain the rights of the user running Windows Admin Center. Because WAC is commonly used as a centralized administrative plane for servers, clusters, Hyper-V hosts, and other managed infrastructure, this can translate into broad administrative control over managed systems. Multiple reports state that, in the right deployment scenario, compromise of a WAC host could enable arbitrary command execution through management endpoints and potentially lead to full domain compromise, particularly where the WAC host also provides highly privileged services such as AD CS.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict Windows Admin Center access to trusted administrative networks only, eliminate any unnecessary exposure, and tightly limit which authenticated users can reach the service. Review and reduce standing privileges for accounts allowed to access WAC, monitor authentication and privilege-escalation activity on WAC hosts, and harden the host and any associated administrative services. Content also indicates that channel binding / Extended Protection-related enforcement was relevant to blocking the reported reflection path, but the definitive mitigation in the provided material is vendor patching.

Remediation

Patch, then assume compromise.

Upgrade Windows Admin Center to version 2511 or later. The provided content consistently states Microsoft fixed CVE-2026-26119 in Windows Admin Center version 2511, released in December 2025, and published guidance through the Microsoft Security Response Center update guide. Apply the vendor update across all WAC instances and validate that the updated build is deployed successfully.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows Admin Centerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

60 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

60 SOURCESView more in app

synacktiv blogNews

Apr 27, 2026

Bypassing Windows authentication reflection mitigations for SYSTEM

A vulnerability discovered via a related attack strategy that targets the HTTP service of Windows Admin Center.

synacktiv blogNews

Apr 27, 2026

Bypassing Windows authentication reflection mitigations for SYSTEM

A vulnerability discovered via a related attack strategy that targets the HTTP service of Windows Admin Center.

synacktiv blogNews

Apr 27, 2026

Bypassing Windows authentication reflection mitigations for SYSTEM

A vulnerability affecting the HTTP service of Windows Admin Center, mentioned as a related discovery from a similar attack strategy.

semperis blogNews

Mar 23, 2026

What You Need to Know: CVE-2026-26119 | Semperis Guides

A critical remote privilege escalation vulnerability in Windows Admin Center that can be abused via authentication reflection to achieve NT AUTHORITY\SYSTEM access and potentially full domain compromise, especially on AD CS servers.

+13 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity43

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-26119

NVD

nvd.nist.gov/vuln/detail/CVE-2026-26119

MITRE CWE · CWE-287

Improper Authentication

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26119