DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26119: Windows Admin Center: The 'Sudo' Command You Didn't Know You Had

#security #cve #cybersecurity

Windows Admin Center: The 'Sudo' Command You Didn't Know You Had

Vulnerability ID: CVE-2026-26119
CVSS Score: 8.8
Published: 2026-02-17

Microsoft's Windows Admin Center (WAC) was designed to be the modern 'single pane of glass' for system administrators—a web-based evolution of the clunky old MMC snap-ins. Unfortunately, a critical flaw in the Gateway Service turned that glass into a sieve. CVE-2026-26119 allows any authenticated user, regardless of how low their privileges are, to trick the gateway into executing commands with administrative rights. It’s a classic case of a proxy service trusting the client a little too much, effectively handing the keys to the kingdom to anyone who can log in.

TL;DR

High-severity Elevation of Privilege in Windows Admin Center (WAC). A logic flaw in the Gateway Service allows low-privileged users to bypass authorization checks and execute administrative commands on managed servers. Update to version 2.6.4 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287 (Improper Authentication)
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 8.8 (High)
  • Privileges Required: Low (PR:L)
  • Impact: Total Compromise / RCE
  • Exploit Status: Proof of Concept Expected

Affected Systems

  • Windows Admin Center (Gateway Mode)
  • Windows Admin Center (Desktop Mode)
  • Managed Windows Servers (via lateral movement)
  • Windows Admin Center: 1809.0 <= v < 2.6.4 (Fixed in: 2.6.4)

Mitigation Strategies

  • Update Windows Admin Center to version 2.6.4+
  • Restrict network access to WAC ports (443/6516)
  • Enforce MFA for all WAC users
  • Audit 'Gateway Users' group for unauthorized accounts

Remediation Steps:

  1. Download the 2.6.4 installer from the Microsoft Evaluation Center or Microsoft Update.
  2. Run the installer on the gateway server; it will perform an in-place upgrade.
  3. Restart the 'ServerManagementGateway' service to clear cached sessions.
  4. Verify the version number in the WAC settings menu.

References

Read the full report for CVE-2026-26119 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)