A high-severity vulnerability in Windows Admin Center’s Azure Single Sign-On implementation has exposed Azure virtual machines and Arc-connected systems to unauthorized access across entire tenants.
Cymulate Research Labs discovered the flaw, now tracked as CVE-2026-20965, which demonstrates how improper token validation can collapse security boundaries between individual machines and complete Azure environments.
Microsoft patched the issue via Windows Admin Center Azure Extension v0.70.00 on January 13, 2026, following Cymulate’s August 2025 disclosure. All unpatched deployments below this version remain exposed.
| CVE ID | Description | Severity | CVSS Score | Affected Versions | Patch |
|---|---|---|---|---|---|
| CVE-2026-20965 | Improper token validation in WAC Azure SSO allows mixing stolen WAC.CheckAccess token with forged PoP token for lateral movement. | High | Not yet published | < 0.70.00 | v0.70.00 |
Exploitation requires local admin on a WAC-enabled Azure VM or Arc machine, plus a privileged user connecting via Azure Portal. No wild exploitation reported, but retrospective detection advised, Cymulate added.
Windows Admin Center uses two tokens: WAC.CheckAccess (verifies role-based access via UPN) and PoP-bound token (browser-generated key pair prevents replay).
Flaws include no UPN matching between tokens, acceptance of cross-tenant PoP tokens, non-gateway URLs in PoP (e.g., direct IP via port 6516), reused nonces, and unscoped WAC.CheckAccess granting tenant-wide access.
JIT access exposes port 6516 to all IPs, not just gateway DNS, enabling direct forgery without DNS discovery. This collapses VM isolation, allowing impersonation of admins across resource groups.
Attack Chain
- Dump WAC cert, stop service, run rogue server.
- Capture admin’s WAC.CheckAccess token during portal connection.
- Enumerate targets via metadata/subnet.
- Forge PoP using attacker tenant: generate keys, bind via refresh token, insert target resource ID/IP.
- Send InvokeCommand with mixed tokens for RCE on any accessible WAC machine.
- Repeat for chaining.
Enables lateral movement, privilege escalation, credential theft, cross-subscription compromise, and evasion via fake UPNs.
Detection Guidance
Monitor for WAC virtual accounts like [email protected], indicating abuse.
KQL Query for Suspicious Logons:
textDeviceLogonEvents
| where Timestamp > ago(30d)
| where AccountName has "@"
| where not(AccountName has "")
| project Timestamp, DeviceName, AccountName, ActionType, LogonType
| order by Timestamp desc
Flag anomalous WAC activity: new identities on targets, InvokeCommand spikes in trusted contexts.
IOCs:
- Port 6516 open via JIT NSG (all sources).
- Rogue WAC processes/services.
- Mixed-tenant UPN logons.
- Unscoped PoP token reuse.
Update to v0.70.00 immediately. Enhance NSG/JIT to gateway-only. Monitor WAC logs for anomalies.
This flaw underscores Azure SSO risks: subtle validation gaps enable local-to-cloud pivots, bypassing segmentation. Prioritize patching and simulation testing.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
