Attackers with local administrator access were able to circumvent authentication procedures and obtain unauthorized access to any machine within the same Azure tenant due to a critical vulnerability in Microsoft Azure AD Single Sign-On implementation for Windows Admin Center (WAC) This article explores sso authentication wac. . Windows Admin Center All Azure virtual machines and Arc-connected systems running unpatched WAC Azure Extension versions below 0.70.00 are vulnerable to the flaw, which is tracked as CVE-2026-20965.

Taking Advantage of Inadequate Token Validation The weakness results from Windows Admin Center's improper validation of two access tokens used for Azure SSO authentication. A WAC is necessary for SSO to function. Verify user permissions using the Access token and a Proof-of-Possession (PoP) token that is cryptographically linked to keys generated by the browser. Nevertheless, the system does not verify that the two tokens are associated with the same user.

Attackers were able to combine a stolen WAC because of this oversight. A privileged administrator can impersonate the victim without using legitimate Azure credentials by using their own forged PoP token to verify the Access token. By exposing the WAC API port (6516) to all source IPs, the Just-in-Time access configuration allowed direct access without the need for gateway DNS knowledge.

Attackers needed to have local administrator rights on an Azure virtual machine (VM) or Arc-connected computer with WAC installed in order to successfully exploit it. They then needed to wait for a privileged user to establish a connection via Windows Admin Center from the Azure Portal. Attackers could escalate privileges, carry out remote commands with administrative rights, and move laterally across all WAC-enabled machines that were accessible to the compromised identity once they had obtained the victim's token.

stolen WAC and falsified PoP According to Cymulate, this method enabled attackers to cross logical cloud boundaries, switching from isolated virtual machines to entire resource groups and subscriptions. Because the forged requests came from nonexistent users in the victim tenant, traceability was severely hampered and detection efforts were made more difficult. The vulnerability was fixed by Microsoft in Windows Admin Center Azure Extension version 0.70.00, which was made available on January 14, 2026.

Security teams should update impacted systems right away and keep an eye out for the creation of suspicious virtual accounts using the UPN format WAC_[identity]@[tenant].onmicrosoft.com, especially from tenant domains that are unknown or external. In order to help teams efficiently prioritize remediation, Cymulate introduced an automated exposure validation scenario that runs subscription-wide scans to find vulnerable machines.