Microsoft disclosed and patched a critical elevation-of-privilege vulnerability in Windows Admin Center (WAC) tracked as CVE-2026-26119. The issue is caused by improper authentication (CWE-287) and is rated CVSS 8.8 with a network attack vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker with low/limited existing privileges could exploit the flaw over the network to gain elevated privileges equivalent to the user context running WAC, which is particularly high impact given WAC’s role in centralized administration of Windows servers.
Microsoft’s advisory indicates the vulnerability was newly published in its Security Update Guide and is addressed via an official Windows Admin Center security update; organizations are advised to apply the update promptly. Public reporting also notes Microsoft has not observed active exploitation at the time of disclosure, but assesses exploitation as more likely due to low attack complexity and typical enterprise exposure of WAC deployments; no public PoC was noted. Microsoft credited Andrea Pierini (Semperis) for responsible disclosure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On the same day as public disclosure, Microsoft released security update guidance highlighting that the flaw affects Windows Admin Center 2.6.4 and urging administrators to apply the available update. Public reporting noted the vulnerability's CVSS 8.8 severity and potential for broad administrative impact in enterprise environments.
Microsoft publicly acknowledged CVE-2026-26119 in its Security Update Guide, describing it as a high-severity Windows Admin Center elevation-of-privilege vulnerability. Microsoft rated exploitation as more likely and reported no evidence of active exploitation at disclosure time.
Microsoft addressed CVE-2026-26119 in Windows Admin Center version 2511, released in early December 2025. The fix remediated the improper authentication issue affecting Windows Admin Center deployments.
Andrea Pierini of Semperis discovered the improper authentication vulnerability in Windows Admin Center later assigned CVE-2026-26119. The flaw could allow an already authorized low-privilege user to elevate privileges over the network.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcethecyberthrone.in
Open sourcethehackernews.com
Open sourcetechrepublic.com
Open sourcehelpnetsecurity.com
Open sourcecyberpress.org
Open sourcecybersecuritynews.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.