One-Click RCE in Azure Windows Admin Center Lets Attackers Execute Arbitrary Commands

A newly disclosed flaw in Azure Windows Admin Center (WAC) allows unauthenticated, one‑click remote code execution (RCE) and token theft simply by luring an admin to a tampered but “legit‑looking” URL.

The chained bugs are tracked collectively as CVE‑2026‑32196 and stem from control‑flow hijacking in WAC’s web logic that turns a single click into arbitrary PowerShell execution and possible Azure tenant compromise.

What Cymulate found

Researchers from Cymulate Research Labs discovered that multiple weaknesses in Windows Admin Center’s Azure‑integrated and on‑prem deployments can be combined into a powerful attack chain.

By abusing a crafted gateway URL, an attacker can force the victim’s browser to talk to a rogue “WAC‑like” server under the attacker’s control, without any prior authentication.

The issues were reported to Microsoft in August 2025; Azure‑hosted WAC was fixed server‑side, while on‑prem customers must upgrade to the latest Windows Admin Center build.

Microsoft treated the Azure SaaS side as a cloud‑only issue remediated centrally and therefore did not assign a separate cloud CVE, but the on‑premises impact is tracked under CVE‑2026‑32196.

Root cause: XSS to control flow hijack

CVE‑2026‑32196 is driven by three core problems in WAC’s design and response handling.

• Response‑based cross‑site scripting (XSS): Error responses from gateway endpoints are parsed as JSON and rendered directly into the page, allowing attacker‑supplied HTML/JavaScript to run in the WAC origin when an HTTP 400‑style error is returned.
• Externally controlled gateway URL: WAC accepts arbitrary HTTPS gateway URLs with valid certificates, enabling flow redirection to a non‑Microsoft server that mimics the WAC API.
• Insecure credential storage (on‑prem): When an on‑prem WAC gateway is registered in Azure, access and refresh tokens are stored in browser local storage under the WAC domain, making them directly accessible to injected JavaScript.

Once XSS is triggered, the attacker’s script can call internal WAC APIs, send cross‑frame messages inside the Azure portal, and steal tokens or execute commands as if they were the logged‑in admin.

On Azure‑managed WAC, a forged portal URL with a malicious gatewayUrl parameter sends the victim’s browser to an attacker‑controlled HTTPS service that returns a crafted JSON error and injects JavaScript via the unsanitized message field.

That script runs inside the embedded waconazure iframe, giving access to WAC context, notifications, and UI flows for phishing, NTLM/Basic credential harvesting, and subtle social engineering inside the Azure portal.

On on‑prem WAC, the same gateway logic still exists but runs in the gateway’s own origin, raising the impact from XSS to direct RCE.

A single click on a tampered WAC URL can cause the victim browser to invoke WAC’s PowerShell execution APIs and run arbitrary commands on any managed server the admin can reach, without additional prompts.

If that gateway is linked to Azure, the injected script can also read Azure management tokens from local storage and exfiltrate them, enabling full user impersonation and lateral movement into the tenant.

Organizations are at the highest risk if they:

• Expose the on‑prem Windows Admin Center to admins over the internet or untrusted networks.
• Use WAC gateways registered with Azure, especially with high‑privilege accounts.

Recommended actions:

• Upgrade all on‑prem Windows Admin Center instances to the latest Microsoft‑released version and verify there are no stragglers.
• Restrict access to WAC gateways using VPN, network segmentation, and strong authentication.
• Audit browser‑stored tokens and reduce reliance on local storage for sensitive Azure credentials.
• Monitor for suspicious WAC URLs, unexpected gateway domains, and unusual PowerShell execution from WAC‑managed hosts.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post One-Click RCE in Azure Windows Admin Center Lets Attackers Execute Arbitrary Commands appeared first on Cyber Security News.