Microsoft has disclosed a privilege-escalation vulnerability in Windows Admin Center (WAC), a browser-based platform widely used by IT administrators and infrastructure teams to manage Windows clients, servers, clusters, Hyper-V hosts and virtual machines, as well as Active Directory-joined systems.
Although the issue was patched in early December 2025 with the release of Windows Admin Center version 2511, it has only just been publicly acknowledged.
The delay in disclosure likely reflects both the nature of the flaw, its severity, and the operational sensitivity of WAC as a centralized management tool.
About CVE-2026-26119
CVE-2026-26119 stems from improper authentication and was discovered by Adrea Pierini, a security consultant with Semperis, in July 2025.
The technical details are still under wraps, but the vulnerabitily’s CVSS score indicates that it can be exploited remotely with low effort, no user interaction, and minimal (low) privileges (i.e., the attacker must already possess valid low-level access credentials).
According to Microsoft, an attacker that successfully exploits CVE-2026-26119 “would gain the rights of the user that is running the affected application.”
Pierini noted that, “Under certain conditions, this issue could allow a full domain compromise starting from a standard user.”
Microsoft considers exploitation of the flaw “more likely”, due to its analysis indicating that attackers could develop reliable exploit code and due to the fact that that similar vulnerabilities have historically been targeted in real-world attacks.
“As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority,” the company advises.
Hopefully, most of them have already upgraded to the fixed version. Those who haven’t should do so immediately, before attackers pinpoint the patch and the source of the flaw, and develop an exploit.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
