Critical Windows Admin Center Flaw Enables Tenant-Wide Compromise via Azure SSO Bypass (CVE-2026-20965)

Zero Day Wire

1 min read
Critical Windows Admin Center Flaw Enables Tenant-Wide Compromise via Azure SSO Bypass (CVE-2026-20965)

A high-severity vulnerability in Windows Admin Center's Azure AD Single Sign-On implementation allows attackers to escalate privileges and move laterally across an entire Azure tenant without valid credentials.

Cymulate Research Labs discovered the flaw and reported it to Microsoft in August 2025. Microsoft released a patch on January 13, 2026.

Vulnerability Details

  • CVE ID: CVE-2026-20965
  • Severity: High
  • Affected Component: Windows Admin Center Azure Extension
  • Fixed Version: 0.70.00

Who Is Affected

Every Azure VM and Azure Arc-joined machine running an unpatched Windows Admin Center Azure Extension (below version 0.70.00) is vulnerable.

How It Works

The vulnerability stems from two implementation flaws:

  1. Improper token validation - Windows Admin Center fails to verify that the user identity in the Proof of Possession (PoP) token matches the WAC.CheckAccess token. This allows attackers to combine a stolen access token from a privileged user with their own forged PoP token.
  2. Overly permissive JIT access - The Just In Time mechanism opens port 6516 to all source IPs via temporary NSG rules, not just the Azure portal gateway. This enables direct access to WAC instances without knowing the gateway DNS.

Attack Chain

An attacker with local administrator access on one WAC-managed machine can:

  1. Dump the WAC API server certificate
  2. Run a rogue server impersonating the legitimate WAC API
  3. Steal access tokens when privileged users connect via Azure Portal
  4. Forge PoP tokens using an attacker-controlled tenant
  5. Execute remote commands on any WAC-enabled machine the victim has access to

Impact

Successful exploitation enables:

  • Lateral movement across all WAC-managed machines in the tenant
  • Privilege escalation through user impersonation
  • Exfiltration of managed identity credentials
  • Cross-boundary compromise across resource groups and subscriptions
  • Reduced traceability due to tokens originating from external tenants

Remediation

Update Windows Admin Center Azure Extension to version 0.70.00 or later immediately.

Detection

Monitor for virtual account creation with UPN format and external tenant domains:

DeviceLogonEvents
| where AccountName has "@"
| where not(AccountName has "<your tenant>")

The presence of virtual accounts associated with unknown tenant domains may indicate unauthorized WAC access.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire