CVE-2026-41086: Windows Admin Center Privilege Escalation via Improper Access Control

hello@craftedsignal.io — Tue, 12 May 2026 18:50:43 +0000

CVE-2026-41086 is a high-severity vulnerability affecting Windows Admin Center (WAC). The vulnerability stems from improper access control mechanisms within WAC, potentially allowing an authorized attacker to elevate their privileges on the network. An attacker with existing authorized access to WAC could leverage this flaw to gain higher-level control over connected systems. This could enable them to perform unauthorized actions, potentially compromising the confidentiality, integrity, and availability of managed resources. The specific versions of Windows Admin Center affected are not detailed in the source.

Attack Chain

Attacker gains initial authorized access to Windows Admin Center, potentially through compromised credentials or other legitimate access methods.
Attacker identifies the improper access control vulnerability (CVE-2026-41086) within WAC.
Attacker crafts a malicious request or utilizes a tool to exploit the vulnerability. This may involve manipulating API calls or exploiting flaws in WAC’s authorization checks.
The crafted request bypasses the intended access controls, allowing the attacker to access restricted functionality or resources.
Attacker leverages the elevated privileges to perform unauthorized actions on connected systems, such as installing software, modifying configurations, or accessing sensitive data.
Attacker may use the compromised system as a pivot point to gain access to other systems on the network, further expanding their reach.
Attacker establishes persistence on the compromised system to maintain unauthorized access, even after system restarts.
The attacker’s final objective is to gain complete control over the targeted network and exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-41086 could allow an authorized attacker to escalate their privileges within a network managed by Windows Admin Center. This could lead to unauthorized access to sensitive data, system compromise, and potentially full network takeover. The scope of the impact depends on the extent of the attacker’s access and the sensitivity of the data managed by WAC.

Recommendation

Apply the patch released by Microsoft to address CVE-2026-41086 on all Windows Admin Center installations as soon as possible (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41086).
Review and enforce strong access control policies for Windows Admin Center to minimize the risk of unauthorized access.
Implement the Sigma rule “Detect Suspicious WAC API Access” to detect potential exploitation attempts (reference: rule below).
Monitor network traffic for suspicious activity related to Windows Admin Center, such as unusual API calls or data transfers.

CVE-2026-35438: Windows Admin Center Missing Authorization Vulnerability

hello@craftedsignal.io — Tue, 12 May 2026 18:33:16 +0000

CVE-2026-35438 is a critical vulnerability affecting Windows Admin Center. This missing authorization vulnerability allows an attacker, who already has some level of authorized access to the network, to elevate their privileges. The vulnerability stems from improper authorization checks within the Admin Center, potentially enabling malicious actors to perform actions beyond their intended permissions. Successful exploitation of this vulnerability could lead to complete control over the affected system or network. Microsoft disclosed this vulnerability on May 12, 2026.

Attack Chain

Attacker gains initial authorized access to a network where Windows Admin Center is deployed. This could be through compromised credentials, insider access, or other legitimate access methods.
Attacker identifies the Windows Admin Center instance and its network address.
Attacker crafts a malicious request to the Windows Admin Center API, exploiting the missing authorization check. This request targets a privileged function or resource.
The malicious request bypasses the authorization check due to the vulnerability.
Windows Admin Center processes the request, granting the attacker elevated privileges.
The attacker leverages the elevated privileges to perform unauthorized actions, such as modifying system configurations, installing malicious software, or accessing sensitive data.
The attacker pivots to other systems on the network, leveraging their newly acquired privileges to further compromise the environment.

Impact

Successful exploitation of CVE-2026-35438 can have severe consequences. An attacker could gain complete control over systems managed by Windows Admin Center, leading to data breaches, system outages, and further compromise of the network. The vulnerability allows attackers to perform administrative tasks beyond their authorization level, potentially impacting all connected systems.

Recommendation

Apply the security update released by Microsoft to patch CVE-2026-35438 on all Windows Admin Center instances (see references).
Monitor network traffic for suspicious requests to the Windows Admin Center API that may indicate exploitation attempts. Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Review and enforce strict access control policies to minimize the potential impact of compromised credentials.
Enable enhanced logging for Windows Admin Center to facilitate incident response and forensic analysis.

Windows Admin Center — CraftedSignal Threat Feed

CVE-2026-41086: Windows Admin Center Privilege Escalation via Improper Access Control

Attack Chain

Impact

Recommendation

CVE-2026-35438: Windows Admin Center Missing Authorization Vulnerability

Attack Chain

Impact

Recommendation