Critical Azure Windows Admin Center RCE Vulnerability Patched
Key Takeaways A critical remote code execution (RCE) vulnerability (CVE-2026-32196) was discovered in Windows Admin Center (WAC). The flaw allows unauthenticated, one-click RCE on both...
Key Takeaways
- A critical remote code execution (RCE) vulnerability (CVE-2026-32196) was discovered in Windows Admin Center (WAC).
- The flaw allows unauthenticated, one-click RCE on both Azure-integrated and on-premises WAC deployments.
- Attackers can execute arbitrary commands, steal credentials, and gain full control over targeted networks.
- Microsoft has patched Azure-managed instances automatically; on-premises users must update manually.
A severe security vulnerability has been identified in Microsoft’s Windows Admin Center (WAC), a web-based management tool utilized by IT professionals for administering Windows servers, clients, and clusters. This critical flaw, tracked as CVE-2026-32196, could enable unauthenticated attackers to achieve remote code execution (RCE) with a single click, impacting both cloud-based and on-premises deployments.
Table Of Content
The vulnerability, uncovered by Cymulate Research Labs, permits adversaries to execute arbitrary commands and potentially seize control of target networks by simply luring a victim to a specially crafted URL. This technique can lead to significant compromise, ranging from credential theft to full system takeover.
Cymulate Research Labs responsibly disclosed these weaknesses to Microsoft on August 22, 2025. Following the report, Microsoft promptly deployed server-side patches to all Azure-managed WAC instances. This means cloud customers are automatically protected and do not need to take any manual action. However, organizations operating WAC in on-premises environments must proactively update their installations to the latest version to mitigate this critical risk.
Core Vulnerabilities Driving the Exploit
According to the detailed technical report published by Cymulate Research Labs, the exploit chain leverages a combination of three architectural weaknesses:
- Response-based Cross-Site Scripting (XSS): This vulnerability allows attackers to inject malicious JavaScript into error handling mechanisms within both Azure portal flows and on-premises WAC environments.
- Insecure Redirect Handling: WAC was found to accept externally controlled gateway URLs without sufficient validation. This flaw enables threat actors to hijack legitimate application flows, facilitating spoofing and phishing attacks.
- Insecure Credential Storage: In on-premises configurations, sensitive Azure access and refresh tokens are stored directly in the browser’s local storage. This exposes them to immediate theft when combined with the XSS vulnerability.
The research highlights varying attack paths and consequences based on the specific WAC deployment model:
- Azure-managed environments: Attackers can create authentic-looking URLs containing malicious payloads. These links can trigger fake basic or NTLM authentication prompts, silently harvesting user credentials from a trusted Microsoft domain.
- On-premises deployments: These environments face a higher security impact. Threat actors can force the WAC gateway to execute arbitrary PowerShell commands directly on managed servers, leading to widespread compromise.
- Connected local gateways: When local gateways are connected to Azure, the stored Azure tokens become vulnerable. Their theft can facilitate lateral movement, granting attackers full cloud privileges and tenant control.
The Exploit Chain in Action
Cymulate researchers demonstrated that the complete attack chain requires minimal user interaction. An attacker needs to register a valid domain, secure a trusted web certificate, and then forge a malicious WAC gateway URL. This link can then be distributed via phishing emails, disguised links, or automated web redirections.
Upon clicking the malicious link, the WAC application automatically redirects the victim’s traffic to an attacker-controlled server. This rogue server then responds with a specially crafted error message containing hidden scripts. Crucially, because WAC fails to properly sanitize the incoming response, the malicious code executes directly within the highly privileged WAC browser environment, leading to the compromise.
This incident underscores the critical importance of rigorous validation of both client input and server responses in application development to prevent complex attack vectors. While Azure-hosted WAC customers are now protected through server-side patching, the security risk remains acute for internal networks operating on-premises deployments.
What You Should Do
- Immediately Update On-Premises WAC: All organizations using on-premises Windows Admin Center deployments must upgrade to the latest, patched Microsoft release without delay.
- Verify All Instances: Administrators should conduct a thorough audit to ensure no outdated or unpatched WAC instances remain active within their network infrastructure.
- Enhance User Awareness: Educate users about the risks of clicking suspicious links, especially those that appear to originate from trusted sources, and the dangers of phishing attacks.
- Implement Network Segmentation: Isolate WAC deployments and managed servers on separate network segments to limit potential lateral movement in case of a breach.
- Monitor for Anomalous Activity: Continuously monitor network traffic and system logs for any unusual behavior or unauthorized command execution related to WAC.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.