Skip to main content

On This Page
← AI News
AI News Cybersecurity Software Updates

Microsoft Patches High-Severity CVE-2026-26119 Privilege Escalation in Windows Admin Center

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Microsoft Patches CVE-2026-26119 Privilege Escalation in Windows Admin Center

Microsoft has addressed a critical improper authentication vulnerability in its browser-based Windows Admin Center management suite. Tracked as CVE-2026-26119, the flaw carries a CVSS score of 8.8 and was disclosed publicly on February 17, 2026.

Why This Matters

While Windows Admin Center is designed to provide secure, cloud-independent management of servers and clusters, improper authentication mechanisms can bypass these isolation boundaries. This vulnerability demonstrates the technical reality where a standard user can potentially achieve full domain compromise, undermining the least-privilege models intended for local infrastructure management tools.

Key Insights

  • CVE-2026-26119 carries a high-severity CVSS score of 8.8, indicating a significant risk for network-based privilege escalation.
  • The vulnerability was officially patched in Windows Admin Center version 2511, released by Microsoft in December 2025.
  • Researcher Andrea Pierini from Semperis discovered the flaw, noting it could allow full domain compromise from a standard user account.
  • Microsoft has assigned an ‘Exploitation More Likely’ assessment to this vulnerability despite no current evidence of active exploitation.
  • The flaw resides in improper authentication logic, allowing attackers to gain the rights of the user running the affected application.

Practical Applications

  • Use Case: Deployment of Windows Admin Center v2511 to manage Windows Clients and Servers without cloud connectivity risks.
  • Pitfall: Maintaining legacy versions of Windows Admin Center allows network-based attackers to escalate privileges to the application’s user level.
  • Use Case: Validating authentication configurations in local management tools to prevent standard user escalation to domain admin.
  • Pitfall: Assuming that local, browser-based tools are immune to network-based attacks, leading to delayed patching of high-CVSS vulnerabilities.

References:

Continue reading

Next article

Developer Creates Blog for Consistency in Studies

Related Content

Dec 10, 2025

Microsoft Patches 56 Flaws, Including Actively Exploited Privilege Escalation Bug

Microsoft addressed 56 Windows security vulnerabilities in December 2025, including an actively exploited privilege escalation flaw (CVE-2025-62221) with a CVSS score of 7.8.

Read article
May 9, 2026

cPanel and WHM Patch Critical Vulnerabilities to Prevent RCE and Privilege Escalation

cPanel and WHM released patches for three vulnerabilities, including two CVSS 8.8 flaws, to prevent arbitrary code execution and privilege escalation.

Read article
Jan 7, 2026

n8n Warns of CVSS 10.0 RCE Vulnerability Affecting Self-Hosted and Cloud Versions

n8n disclosed CVE-2026-21877, a critical authenticated RCE flaw with a CVSS score of 10.0, impacting versions prior to 1.121.3.

Read article