CVE-2026-20965 is a high-severity vulnerability in the Azure AD/Azure Single Sign-On implementation of Microsoft Windows Admin Center (WAC), specifically affecting the Windows Admin Center Azure Extension prior to version 0.70.00. The issue stems from improper verification and binding of authentication/authorization tokens used by WAC, including weaknesses in validation of the WAC.CheckAccess token and the Proof-of-Possession (PoP) token. Reported weaknesses include failure to enforce matching UPNs between the two tokens, acceptance of PoP tokens originating from a different tenant, insufficient scoping of the WAC.CheckAccess token to a specific managed machine, and weak validation of PoP wrapper fields. Cymulate described an attack chain in which an attacker with local administrator access on one WAC-managed Azure VM or Azure Arc-connected machine can capture a privileged user’s WAC.CheckAccess token during an Azure Portal WAC session, combine it with a forged PoP token, and then submit WAC API requests such as InvokeCommand against other accessible WAC-managed systems. Although some advisory text characterizes this as improper verification of cryptographic signature, the supporting content more specifically describes improper token validation and token-binding failures in WAC Azure SSO.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
One of four vulnerabilities affecting Microsoft's Windows Admin Center (WAC), discussed as enabling cross-boundary attacks between on-prem and Azure-managed environments in hybrid cloud deployments.
Improper token validation/access scoping issue in Windows Admin Center Azure Extension that can enable tenant-wide remote code execution in Azure contexts.
Unknown
Improper token validation in Windows Admin Center (WAC) Azure SSO that allows an attacker to mix a stolen WAC.CheckAccess token with a forged Proof-of-Possession (PoP) token, enabling cross-machine/tenant lateral movement and unauthorized access across Azure tenants (including Azure VMs and Arc-connected systems).
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.