CVE-2026-20965

Name of the Vulnerable Software and Affected Versions Windows Admin Center versions prior to 0.70.00

Description The issue involves improper verification of cryptographic signatures within Windows Admin Center. Exploitation may allow an attacker with local administrator access to elevate privileges and potentially achieve tenant-wide remote code execution (RCE). The flaw resides in the Azure Single Sign-On (SSO) implementation, specifically related to the validation of Proof-of-Possession (PoP) tokens. Attackers can exploit this by mixing a stolen administrator access token with a forged PoP token to impersonate privileged users and move laterally across an entire Azure tenant. The vulnerability affects the validation of tokens used for authentication and authorization, potentially bypassing critical security mechanisms. The vulnerability allows an attacker to hijack token validation. The affected component uses two tokens: a

WAC.CheckAccess

token and a PoP-bound token.

Recommendations Update Windows Admin Center to version 0.70.00 or later. Monitor for suspicious

WAC [identity]@[tenant].onmicrosoft.com

virtual accounts. Monitor for unexpected access to port 6516.