VTA-004552 – Critical Token Validation Vulnerability in Azure Windows Admin Center Enabling Tenant-Wide Remote Code Execution

CVE-2026-20965 represents a high-severity vulnerability in the Azure Single Sign-On (SSO) implementation of Windows Admin Center (WAC). The flaw arises from improper validation of Azure identity tokens, specifically the WAC.CheckAccess access token and the Proof-of-Possession (PoP) bound token. This allows an attacker with local administrator privileges on a single WAC-managed machine such as an Azure Virtual Machine (VM) or Azure Arc-connected system to bypass authentication and authorization controls. By exploiting these validation failures, including mismatched User Principal Names (UPNs), acceptance of cross-tenant or forged tokens, and lack of strict scoping on resource IDs or URLs, the vulnerability collapses intended security boundaries between individual machines and the entire Azure tenant.

The exploit chain requires an attacker to first gain local admin access on one compromised machine, then intercept a legitimate WAC.CheckAccess token when a privileged user connects via the Azure Portal. The attacker can run a rogue WAC server to capture tokens, forge a PoP token using their own tenant resources, including generating key pairs and manipulating fields like resource ID and URL to target any machine, and combine the tokens to issue commands via the InvokeCommand API. This enables remote code execution (RCE), privilege escalation, and lateral movement across all WAC-managed machines in the tenant for which the connecting user has permissions. Factors such as Just-In-Time (JIT) access exposing port 6516 broadly and the unscoped nature of tokens exacerbate the risk, allowing direct IP-based attacks without gateway restrictions and potentially leading to full tenant compromise, credential theft, or cross-subscription impacts.

Affected components include the Windows Admin Center Azure Extension in versions below 0.70.00, deployed on Azure VMs and Arc-connected machines via the Azure Portal. Microsoft addressed the issue with a patch in version 0.70.00, released on January 13, 2026. Organizations are urged to update immediately, enhance monitoring for anomalous logons such as virtual accounts with external tenant UPNs, restrict network access to WAC ports, and leverage detection tools like KQL queries to identify potential exploitation. This vulnerability underscores the critical importance of robust token validation in cloud management tools to maintain isolation and prevent localized compromises from escalating into widespread breaches.

Severity:
High

Tactics:
Credential Access, Defense Evasion, Execution, Impact, Initial Access, Lateral Movement, Persistence, Privilege Escalation

Techniques:
T1021 – Remote Services
T1059 – Command and Scripting Interpreter
T1068 – Exploitation for Privilege Escalation
T1078 – Valid Accounts
T1489 – Service Stop
T1499 – Endpoint Denial of Service
T1543 – Create or Modify System Process
T1548 – Abuse Elevation Control Mechanism
T1550 – Use Alternate Authentication Material
T1552 – Unsecured Credentials
T1569 – System Services
T1570 – Lateral Tool Transfer

References:
1. https://cymulate.com/blog/cve-2026-20965-azure-windows-admin-center-tenant-wide-rce/

SuperPRO’s Threat Countermeasures Procedures:
1. Apply the Microsoft patch immediately — Update the Windows Admin Center Azure Extension to version 0.70.00 (released January 13, 2026) on all affected Azure VMs and Azure Arc-connected machines. All versions below 0.70.00 remain vulnerable. Prioritize deployment across the environment using automated tools or Azure Update Management to close the primary exploit path.

Contributed by: Hadi