A critical security update addressing a high‑severity elevation of privilege vulnerability in Windows Admin Center (WAC), identified as CVE‑2026‑26119.
The flaw, rated CVSS 8.8 (Critical), stems from improper authentication (CWE‑287) that could allow an authorized attacker to gain elevated network privileges.
According to Microsoft, this vulnerability affects Windows Admin Center version 2.6.4, and it was publicly disclosed on February 17, 2026.
The issue allows attackers who already have limited privileges on the system to escalate their access without further user interaction.
Although Microsoft has not observed active exploitation in the wild, it warns that exploitation is “more likely”, citing the low attack complexity and network exposure of WAC deployments.
When successfully exploited, the attacker could gain the same privileges as the user running the affected application.
Given that Windows Admin Center is often used for centralized system administration, such privilege escalation could enable full control of managed servers, modification of system settings, and access to sensitive data.
Microsoft credits Andrea Pierini from Semperis for responsibly reporting the vulnerability.
The company has released an official fix through the latest Windows Admin Center security update and strongly advises administrators to apply the patch immediately.
Users can find the update and release notes through Microsoft’s official channels (Release Notes, Security Update).
While no proof‑of‑concept (PoC) code has surfaced, the exploitability index indicates a higher likelihood of exploit development in the near term.
Given WAC’s exposure across enterprise environments, delaying patch deployment could leave networks vulnerable to lateral movement and privilege misuse attacks.
Administrators are urged to follow Microsoft’s security update guidance, review account permissions, and monitor event logs for unusual privilege escalations.
More details on the official CVE are available via CVE.org and Microsoft’s Security Update Guide.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
