Executive Summary

CVE-2026-26119 is a critical privilege escalation vulnerability affecting Microsoft Windows Admin Center, a browser-based management platform for Windows servers, clusters, and hybrid environments. This vulnerability, discovered by Andrea Pierini of Semperis and patched by Microsoft in version 2511 (December 2025), enables an authenticated attacker to escalate privileges over a network, potentially resulting in full domain compromise. Microsoft has classified exploitation as "More Likely," and the flaw is categorized under CWE-287 (Improper Authentication). Organizations leveraging Windows Admin Center in enterprise, government, finance, and critical infrastructure sectors are at heightened risk due to the platform’s central role in managing privileged operations across Windows environments.

Technical Information

CVE-2026-26119 is assigned a CVSS v3.1 Base Score of 8.8, reflecting its high severity. The vulnerability stems from improper authentication logic within Windows Admin Center’s session token and role-based access control mechanisms. Specifically, the flaw allows an attacker with valid low-privilege credentials to manipulate session tokens and escalate their privileges to those of an administrator. This can be achieved without user interaction and with minimal attack complexity, making exploitation feasible for a broad range of threat actors.

The vulnerability is classified as CWE-287 (Improper Authentication), indicating that the authentication process fails to adequately verify the identity or privileges of a user. In the context of Windows Admin Center, this manifests as insufficient validation of session tokens and role assignments, enabling privilege escalation through crafted API requests.

The attack vector is network-based, meaning that exploitation can occur remotely if the attacker has network access to the Windows Admin Center instance. The attacker must possess valid credentials for a low-privilege account, which can be obtained through phishing, credential stuffing, or malware. Once authenticated, the attacker can exploit the vulnerability to impersonate higher-privilege users, execute arbitrary commands on managed servers, exfiltrate sensitive data, deploy ransomware, or establish persistent access for further attacks.

The potential impact is severe, encompassing full domain compromise, lateral movement across managed systems, data theft, and disruption of critical services. The vulnerability affects all versions of Windows Admin Center prior to 2511, making it imperative for organizations to identify and remediate vulnerable instances.

Exploitation in the Wild

As of February 2026, there are no confirmed reports of public exploit code or active exploitation of CVE-2026-26119 in the wild. However, Microsoft and multiple security researchers have assessed the likelihood of exploitation as "More Likely" due to the vulnerability’s low complexity and high impact. The technical details of the flaw, while not fully disclosed, are considered straightforward enough to attract attention from both opportunistic attackers and advanced persistent threat (APT) groups.

Andrea Pierini of Semperis, the researcher who discovered the vulnerability, stated on LinkedIn that the flaw "could allow a full domain compromise starting from a standard user" under certain conditions. This assessment underscores the criticality of the issue and the urgency of patching.

The risk of reverse engineering is significant. Given the central role of Windows Admin Center in enterprise environments and the simplicity of the underlying flaw, it is highly probable that threat actors will attempt to develop exploits by analyzing the patch or reverse engineering the updated binaries. Organizations should assume that exploitation attempts may emerge in the near future and act accordingly.

APT Groups using this vulnerability

At the time of this report, there is no public attribution of CVE-2026-26119 exploitation to specific APT groups. However, the nature of the vulnerability and its potential for domain-wide compromise make it an attractive target for groups known to target Windows management infrastructure. Notably, APT groups such as APT29 (Cozy Bear) and APT41 have a history of targeting administrative interfaces and leveraging privilege escalation vulnerabilities for lateral movement and domain dominance.

While no direct evidence links these or other APT groups to active exploitation of CVE-2026-26119, organizations should remain vigilant. The vulnerability aligns with tactics, techniques, and procedures (TTPs) commonly employed by sophisticated threat actors seeking to establish persistent, high-privilege access within enterprise networks.

Affected Product Versions

All versions of Microsoft Windows Admin Center prior to 2511 are affected by CVE-2026-26119. This includes, but is not limited to, the following releases: Windows Admin Center 1809.0, 1910, 2007, 2103, 2110, 2203, 2211, 2306, 2311, 2.6.0, 2.6.1, 2.6.2, and 2.6.3. The vulnerability is present in any deployment that has not been updated to version 2511 or later.

The patched version, Windows Admin Center 2511 (released December 2025), addresses the improper authentication logic and should be deployed immediately to mitigate risk. Organizations should inventory all instances of Windows Admin Center and verify that they are running version 2511 or newer.

Workaround and Mitigation

The primary mitigation for CVE-2026-26119 is to apply the security update provided by Microsoft. Organizations should upgrade all instances of Windows Admin Center to version 2511 or later, available through the Microsoft Update Guide.

In addition to patching, organizations should implement the following defense-in-depth measures:

Network segmentation is critical. Isolate Windows Admin Center management interfaces on dedicated VLANs and restrict access to trusted administrative workstations. This reduces the attack surface and limits the ability of compromised accounts to reach the management interface.

Access controls should be reviewed and tightened. Enforce just-in-time privileges, monitor for privilege escalation events, and disable unnecessary Windows Admin Center extensions that may expand the attack surface.

Continuous monitoring is essential. Audit Windows Admin Center logs for anomalous authentication events, unexpected privilege escalations, and suspicious API calls originating from low-privilege accounts. Employ endpoint detection and response (EDR) solutions such as Microsoft Defender or Qualys to identify unpatched instances and detect post-exploitation activity.

For air-gapped or highly sensitive environments, verify the integrity of downloaded patches using SHA-256 hashes from official Microsoft sources before deployment.

If immediate patching is not feasible, consider disabling external access to Windows Admin Center and restricting usage to isolated, trusted networks until remediation can be completed.

References

NVD Entry for CVE-2026-26119, Microsoft Security Advisory, The Hacker News: Microsoft Patches CVE-2026-26119, LinkedIn: Critical Privilege Escalation Flaw Discovered in Windows Admin Center, Cyber Press: Critical Privilege Escalation Flaw

Rescana is here for you

Rescana is committed to empowering organizations with actionable threat intelligence and robust third-party risk management. Our TPRM platform enables you to continuously monitor your digital supply chain, identify vulnerabilities, and respond proactively to emerging threats. If you have questions about this advisory or require assistance with your cybersecurity posture, we are happy to help at ops@rescana.com.