EXECUTIVE SUMMARY
critical elevation-of-privilege vulnerability (CVE-2026-26119, CVSS 8.8) in Windows Admin Center v2.6.4 allows low-privileged authenticated users to escalate privileges over the network due to improper authentication (CWE-287). Microsoft has released a security update, and organizations should prioritize patching immediately to reduce the risk of lateral movement and full infrastructure compromise.
- CVE: CVE-2026-26119
- CVSS: 8.8
- Active Region: Global
- Affected Sector: Enterprise IT / Organizations using centralized server management
- Affected Product: Windows Admin Center v2.6.4 Severity: Critical
- Published Date: January 18, 2026
TECHNICAL DETAILS
- Target: Systems running Windows Admin Center v2.6.4, particularly enterprise environments where WAC is exposed for centralized server, cluster, or infrastructure management. Because WAC often has broad administrative reach, compromise can impact multiple managed assets.
- Root Cause: Improper authentication (CWE-287) within Windows Admin Center that fails to adequately enforce privilege boundaries, enabling an authenticated user to escalate permissions beyond their intended authorization level.
- Prerequisite For Exploitation: The attacker must already……
