Azure Identity Token Flaw Allows Tenant-Wide Compromise in Windows Admin Center

A critical vulnerability in Microsoft Azure AD Single Sign-On implementation for Windows Admin Center (WAC) enabled attackers with local administrator access to bypass authentication mechanisms and gain unauthorized access to any machine within the same Azure tenant.

The flaw, tracked as CVE-2026-20965, affects every Azure virtual machine and Arc-connected system running unpatched WAC Azure Extension versions below 0.70.00.

Exploiting Improper Token Validation

The vulnerability stems from Windows Admin Center’s failure to validate two access tokens used during Azure SSO authentication properly. WAC requires a WAC.

Check the Access token to verify user permissions and a Proof-of-Possession (PoP) token cryptographically bound to browser-generated keys. However, the system does not validate that both tokens belong to the same user identity.

This oversight allowed attackers to combine a stolen WAC. Check the Access token from a privileged administrator with their own forged PoP token, effectively impersonating the victim without valid Azure credentials.

The Just-in-Time access configuration further exposed the WAC API port (6516) to all source IPs, enabling direct access without requiring knowledge of the gateway DNS.

Successful exploitation required attackers to possess local administrator privileges on an Azure VM or Arc-connected machine with WAC installed, then wait for a privileged user to initiate a connection via Windows Admin Center from the Azure Portal.

Once the victim’s token was captured, attackers could escalate privileges, execute remote commands with administrative rights, and move laterally across every WAC-enabled machine accessible to the compromised identity.

This technique allowed attackers to breach logical cloud boundaries, pivoting from isolated virtual machines to entire resource groups and subscriptions, as reported by Cymulate.

The forged requests originated from non-existent users in the victim tenant, significantly reducing traceability and complicating detection efforts.

Microsoft patched the vulnerability in Windows Admin Center Azure Extension version 0.70.00, released January 14, 2026.

Security teams should immediately update affected systems and monitor for suspicious virtual account creation following the UPN format WAC_[identity]@[tenant].onmicrosoft.com, particularly from unknown or external tenant domains.

Cymulate introduced an automated exposure validation scenario that performs subscription-wide scans to identify vulnerable machines, enabling teams to prioritize remediation effectively.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Azure Identity Token Flaw Allows Tenant-Wide Compromise in Windows Admin Center appeared first on Cyber Security News.