The dashboard you built your infrastructure management around might be the same one that hands your domain to an attacker. On February 17, 2026, Microsoft publicly disclosed CVE-2026-26119, a privilege escalation vulnerability in Windows Admin Center (WAC) caused by improper authentication. It carries a CVSS score of 8.8 out of 10, and the researcher who found it says it could lead to full domain compromise from a standard user account.
The vulnerability was discovered by Andrea Pierini, a Senior Incident Response Consultant at Semperis, in July 2025. Microsoft quietly patched it in Windows Admin Center version 2511, released in December 2025. But the public disclosure didn't come until more than two months later, and the gap between silent remediation and public acknowledgment tells its own story about the severity and sensitivity of this flaw.
Microsoft has tagged CVE-2026-26119 with an "Exploitation More Likely" assessment. While no active exploitation has been confirmed, Microsoft's own analysis indicates that reliable exploit code could be developed and that similar vulnerabilities have historically been targeted in real-world attacks. Microsoft advises that customers "who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority." Organizations still running WAC versions prior to 2511 (v2.6.4) should patch immediately.
What Is Windows Admin Center and Why Does It Matter?
Windows Admin Center is Microsoft's browser-based, locally deployed management console. It replaced many of the aging MMC (Microsoft Management Console) snap-ins that Windows administrators had relied on for decades, consolidating server management, Hyper-V host administration, failover cluster operations, virtual machine management, and Active Directory-joined system administration into a single web interface.
WAC is not a cloud service. It runs locally, typically on a bastion host, jump server, or dedicated management workstation, and it communicates directly with the servers it manages. That local deployment model means WAC often runs with elevated service account credentials that have administrative reach across dozens or hundreds of managed systems. When an IT team deploys WAC, they're creating a single pane of glass that consolidates privileged access to their entire Windows infrastructure.
This architecture is exactly what makes CVE-2026-26119 dangerous. A vulnerability in the tool that centralizes privileged management doesn't just affect one host — it potentially affects every system that tool manages. As TechRepublic's analysis noted, because WAC typically runs with elevated administrative permissions, a vulnerability in the platform can ripple across every managed host in the environment.
The Vulnerability: CVE-2026-26119 in Detail
CVE-2026-26119 is classified under CWE-287: Improper Authentication. The root cause is an authentication failure within WAC's internal logic that does not properly re-validate authorization for sensitive operations. The NVD entry identifies the affected product as Windows Admin Center version 1809.0 (versions prior to 2.6.4). The full technical details remain under wraps as of this writing, but the CVSS vector and Microsoft's advisory provide a clear picture of the attack surface.
Here's the CVSS 3.1 breakdown:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector: Network (AV:N)
Attack Complexity: Low (AC:L)
Privileges Required: Low (PR:L)
User Interaction: None (UI:N)
Scope: Unchanged (S:U)
Confidentiality: High (C:H)
Integrity: High (I:H)
Availability: High (A:H)
Base Score: 8.8 (High)
Microsoft Aggregate Severity: CriticalTranslated into operational reality: an attacker who already holds valid but low-privilege credentials can exploit this flaw remotely, over the network, with low complexity, and without requiring any user interaction. If successful, they inherit the privileges of whatever account is running the WAC process. In many enterprise deployments, that's a service account with administrative rights across the entire managed server fleet. Notably, while the CVSS 3.1 base score of 8.8 places this in the "High" severity tier, Microsoft's own CSAF advisory classifies the aggregate severity as "Critical," reflecting the real-world impact potential in enterprise environments.
Microsoft's advisory put it plainly:
"Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network. The attacker would gain the rights of the user that is running the affected application." — Microsoft Security Advisory, CVE-2026-26119 (published February 17, 2026)
The severity of this advisory prompted independent alerts from organizations including NHS England Digital, which classified it as critical severity and encouraged affected organizations to review Microsoft's guidance immediately.
The Domain Compromise Angle
The real alarm came from the researcher who discovered it. In a LinkedIn post following the public disclosure, Andrea Pierini didn't mince words about the potential impact:
"Under certain conditions, this issue could allow a full domain compromise starting from a standard user." — Andrea Pierini, Senior Incident Response Consultant at Semperis
This language was consistent across multiple independent reports covering Pierini's disclosure, including coverage from The Hacker News, Help Net Security, and SC Media.
Consider what "full domain compromise" means in practice. An attacker who achieves domain-level administrative access can create and modify user accounts, reset passwords for any account in the domain, modify Group Policy Objects to push malware or weaken security configurations across the entire organization, access and exfiltrate data from any system joined to the domain, establish persistent backdoors through methods like Golden Ticket attacks, and effectively own the organization's identity infrastructure.
The path from CVE-2026-26119 to domain compromise hinges on a common enterprise reality: WAC is often configured with service accounts that hold domain-level or near-domain-level privileges. Organizations grant WAC these elevated rights because the tool needs to manage servers, create configurations, deploy updates, and perform administrative operations across the environment. When the authentication flaw lets an attacker inherit those rights, the attacker inherits the keys to the kingdom.
The exploitation model is powerful because it turns an already authenticated foothold into a full pivot against the control plane, multiplying the effects of a single credential compromise. A help-desk operator, a junior admin, or any user with basic WAC login rights could potentially craft or replay modified API requests to trigger privileged management actions.
The Attack Chain: How Exploitation Would Work
While the exact exploitation steps remain undisclosed pending further responsible disclosure timelines, the CVSS vector and CWE classification allow us to reconstruct the likely attack chain based on the vulnerability's characteristics and publicly available information.
The attack begins with initial access. An attacker obtains low-privilege credentials through phishing, credential stuffing, password spraying, or by compromising a user account that has basic WAC access. Many organizations grant read-level or limited write-level access to WAC broadly across their IT staff, which means the pool of potentially compromised accounts is larger than many teams realize.
From there, the attacker authenticates to the WAC interface using those legitimate but low-privilege credentials. Because WAC's authentication logic fails to properly re-validate authorization for sensitive operations (the core CWE-287 improper authentication flaw), the attacker can craft requests that the WAC process executes using its own elevated service context rather than the caller's limited permissions.
The result: the attacker's actions are performed with whatever privileges the WAC service account holds. In environments where that service account has domain admin or equivalent rights, the attacker can now create accounts, change configurations, disable security controls, extract secrets, install persistence mechanisms, or move laterally across the managed server estate.
Critically, this attack model does not require malware execution, does not require user interaction, and does not require chaining multiple exploits. A single authentication bypass in the management plane is sufficient to escalate from a low-privilege foothold to enterprise-wide administrative control.
The Silent Patch: Timeline and Disclosure
The disclosure timeline for CVE-2026-26119 is notable for the gap between remediation and public acknowledgment:
July 2025 Andrea Pierini (Semperis) discovers the vulnerability
Aug 2025 Cymulate separately reports CVE-2025-64669 to MSRC (Aug 5)
December 2025 Microsoft patches both flaws in WAC version 2511
CVE-2025-64669 fix in Dec 10 Patch Tuesday
CVE-2026-26119 fix in WAC 2511 (v2.6.4) release
Feb 17, 2026 Microsoft publicly discloses CVE-2026-26119
(MSRC advisory published 22:56 UTC)
Feb 19, 2026 Security press coverage begins (Help Net Security,
The Hacker News, SC Media, TechRepublic)That's approximately a two-month window between the patch release and the public advisory. Help Net Security's coverage noted that the delay in disclosure likely reflects both the nature of the flaw, its severity, and the operational sensitivity of WAC as a centralized management tool.
This pattern — silent patch followed by delayed disclosure — is not uncommon for vulnerabilities in highly privileged management tools. The logic is understandable: give organizations time to patch before broadcasting the existence of a high-value exploitation target. But it also means that organizations relying solely on CVE feeds and public advisories for their patch prioritization may have missed a critical two-month window during which the fix was available but the urgency was not communicated.
WAC Under Siege: A Pattern of Management Plane Vulnerabilities
CVE-2026-26119 is not the first privilege escalation vulnerability discovered in Windows Admin Center, and the pattern should concern any organization that relies on WAC as a core management tool.
In mid-December 2025, around the same time Microsoft was silently patching CVE-2026-26119, Cymulate researchers publicly disclosed CVE-2025-64669, a separate local privilege escalation vulnerability in WAC. Cymulate reported the vulnerability to Microsoft via MSRC on August 5, 2025; Microsoft acknowledged it on August 29, awarded Cymulate a $5,000 bounty on September 3, and on November 12 confirmed a CVE with Important severity and a fix in the December 10 Patch Tuesday. The root cause was insecure directory permissions: the C:\ProgramData\WindowsAdminCenter folder was writable by all standard users. Cymulate identified two independent exploitation paths from this single weakness — abuse of the extension uninstall mechanism through signed PowerShell script substitution, and DLL hijacking in WAC's update mechanism. For the updater path, a signature validation step initially blocked their malicious DLL, but they found a Time-of-Check Time-of-Use (TOCTOU) race condition that allowed them to bypass the validation entirely by swapping in a malicious DLL after the check completed but before the updater process loaded it. Both paths escalated a low-privilege user to SYSTEM.
Three distinct privilege escalation paths in the same product, surfacing within a two-month window, from two different research teams, using completely different attack techniques (network-based authentication bypass, local insecure permissions with TOCTOU race conditions, and cloud token validation failures). That is a signal, not a coincidence. It indicates that WAC's codebase has systemic security issues that go beyond isolated bugs, particularly around its authentication, authorization, and update mechanisms.
This pattern aligns with a broader industry trend that security researchers and incident responders have been warning about: attackers are increasingly targeting management planes and administrative interfaces rather than traditional endpoint software. When attackers compromise a management tool, they gain access to the control plane rather than individual machines, dramatically amplifying the impact of a single vulnerability. And the WAC vulnerability trend has continued: in January 2026, Cymulate disclosed yet another WAC flaw, CVE-2026-20965, a high-severity improper token validation issue in the Azure AD SSO implementation of Windows Admin Center. The flaw stemmed from WAC's failure to validate that the User Principal Name (UPN) matched between the WAC.CheckAccess token and the Proof-of-Possession (PoP) token, combined with overly permissive JIT network access rules that exposed the WAC API port (6516) directly to all source IPs. An attacker with local administrator access on a single WAC-managed Azure VM could exploit these weaknesses to escalate privileges and execute remote commands on every WAC-managed machine within the tenant. Microsoft patched the issue via Windows Admin Center Azure Extension version 0.70.00, released January 13, 2026. Cymulate first reported the flaw to Microsoft in August 2025.
Who Discovered It: Semperis and the AD Security Ecosystem
The discovery came from Andrea Pierini (@decoder_it) at Semperis, an identity security company that specializes in Active Directory threat prevention, detection, response, and recovery. Semperis is headquartered in Hoboken, New Jersey, with research teams distributed across the United States, Canada, and Israel. The company's technology protects over 100 million identities across enterprise and government environments, and their research team has been responsible for uncovering several notable identity-related vulnerabilities, including the Silver SAML attack technique (discovered by Semperis researchers Eric Woodruff and Tomer Nahum).
Pierini is a well-known Windows security researcher with a track record of privilege escalation discoveries, including the LocalPotato NTLM reflection attack (CVE-2023-21746) and JuicyPotatoNG. He has been recognized multiple times as a Microsoft Most Valuable Researcher. His background in Windows internals and AD security made him uniquely positioned to recognize the domain compromise implications of this flaw. A WAC authentication bypass might look like a routine privilege escalation to a generalist vulnerability researcher. To someone who understands how Active Directory environments are architected and how management tools interact with domain infrastructure, the same flaw represents a direct path from standard user to domain admin.
Remediation: What You Need to Do Now
If your organization runs Windows Admin Center, here's the priority action list.
Immediate Actions
Patch to WAC version 2511 (internal version 2.6.4) or later. This is the single most important step. The fix has been available since December 2025. Verify successful deployment across every WAC instance in your environment, including any forgotten or shadow deployments on admin workstations. Microsoft's guidance directs organizations to update through the WAC interface or via direct download.
Inventory all WAC deployments. Many organizations have WAC installed in more places than they realize. Check bastion hosts, jump servers, admin workstations, and any system where an administrator might have installed WAC for convenience. Each unpatched instance is an open door.
Audit WAC service account privileges. Determine what level of access your WAC service account holds. If it runs as a domain admin or has equivalent privileges, you've been operating with a blast radius that encompasses your entire domain. Even after patching, this configuration represents unnecessary risk.
Short-Term Hardening
Restrict network exposure. WAC should never be accessible from general user networks. Place it behind network segmentation, restrict access to dedicated management VLANs, and eliminate any internet-facing exposure. Use VPN or zero-trust network access controls to gate connectivity.
Enforce multi-factor authentication. Require MFA for all accounts that access WAC. This adds a critical barrier that prevents stolen credentials alone from being sufficient for exploitation.
Implement least privilege. Remove standing administrative rights from the WAC service account wherever possible. Implement just-in-time (JIT) and just-enough-administration (JEA) controls so that elevated privileges are only granted when needed and automatically revoked when the task is complete.
Detection and Hunting
Enable enhanced logging. Ensure WAC activity logging is enabled and forwarded to your SIEM. Monitor for unusual authentication patterns, unexpected privilege escalations, new account creation, and lateral movement originating from WAC management hosts.
Hunt retrospectively. The vulnerability existed in the wild before the December 2025 patch. If your environment was running an unpatched WAC instance during that window, run retrospective hunts for signs of exploitation: unexpected administrative actions, new service principals, role assignments that don't correspond to change tickets, and anomalous authentication events on managed servers.
Organizations that manage WAC updates through WSUS or SCCM should verify that the Windows Admin Center product category is enabled in their update synchronization. WAC is distributed as a separate application, not an OS component, so its updates require explicit configuration in enterprise patch management systems.
Key Takeaways
- Management planes are crown jewels, not utilities. CVE-2026-26119 demonstrates that a single authentication flaw in a centralized management tool can cascade into enterprise-wide compromise. Organizations need to treat WAC and similar administrative interfaces with the same security rigor they apply to domain controllers.
- Silent patches create silent exposure windows. The two-month gap between Microsoft's December 2025 patch and the February 2026 public disclosure meant that organizations relying on CVE feeds for prioritization had no signal that a critical fix was waiting. Treat all WAC version updates as potentially security-critical, regardless of whether a CVE has been published.
- Privilege accumulation in service accounts is a ticking time bomb. The severity of CVE-2026-26119 is directly proportional to the privileges held by the WAC service account. Organizations that run WAC with domain admin credentials transformed a high-severity privilege escalation into a domain compromise vector. Implement least privilege and JIT access now, before the next management plane vulnerability surfaces.
- WAC's vulnerability pattern demands strategic attention. Three distinct privilege escalation vulnerabilities (CVE-2025-64669, CVE-2026-26119, and CVE-2026-20965) discovered by independent research teams and patched within a two-month window, using entirely different attack techniques, signals systemic issues in WAC's security architecture. This should factor into your risk calculus when deciding how WAC is deployed, segmented, and monitored in your environment.
CVE-2026-26119 is a textbook example of why centralized management tools must be treated as high-assurance assets. The vulnerability's core danger is not exotic exploitation techniques. It's the simple reality that a trusted control plane with insufficient authorization checks can hand an adversary the keys to the kingdom. Patch now, segment your management plane, audit your service account privileges, and assume that any management tool can be an attack surface. The window between disclosure and exploitation is shrinking, and the attackers know exactly where to look.
Sources: Microsoft Security Advisory • The Hacker News • Help Net Security • SC Media • TechRepublic • Cymulate (CVE-2025-64669) • Cymulate (CVE-2026-20965) • NHS England Digital Cyber Alert • CIRCL Vulnerability Lookup (CSAF data) • NVD