CVE-2026-35438: Windows Admin Center Missing Authorization Vulnerability

CVE-2026-35438 is a critical vulnerability affecting Windows Admin Center. This missing authorization vulnerability allows an attacker, who already has some level of authorized access to the network, to elevate their privileges. The vulnerability stems from improper authorization checks within the Admin Center, potentially enabling malicious actors to perform actions beyond their intended permissions. Successful exploitation of this vulnerability could lead to complete control over the affected system or network. Microsoft disclosed this vulnerability on May 12, 2026.

Attack Chain

1. Attacker gains initial authorized access to a network where Windows Admin Center is deployed. This could be through compromised credentials, insider access, or other legitimate access methods.
2. Attacker identifies the Windows Admin Center instance and its network address.
3. Attacker crafts a malicious request to the Windows Admin Center API, exploiting the missing authorization check. This request targets a privileged function or resource.
4. The malicious request bypasses the authorization check due to the vulnerability.
5. Windows Admin Center processes the request, granting the attacker elevated privileges.
6. The attacker leverages the elevated privileges to perform unauthorized actions, such as modifying system configurations, installing malicious software, or accessing sensitive data.
7. The attacker pivots to other systems on the network, leveraging their newly acquired privileges to further compromise the environment.

Impact

Successful exploitation of CVE-2026-35438 can have severe consequences. An attacker could gain complete control over systems managed by Windows Admin Center, leading to data breaches, system outages, and further compromise of the network. The vulnerability allows attackers to perform administrative tasks beyond their authorization level, potentially impacting all connected systems.

Recommendation

• Apply the security update released by Microsoft to patch CVE-2026-35438 on all Windows Admin Center instances (see references).
• Monitor network traffic for suspicious requests to the Windows Admin Center API that may indicate exploitation attempts. Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Review and enforce strict access control policies to minimize the potential impact of compromised credentials.
• Enable enhanced logging for Windows Admin Center to facilitate incident response and forensic analysis.