CVE-2026-20965

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited the vulnerability could gain local admin privileges on targeted WAC-managed machines within a tenant.

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.

How could an attacker exploit this vulnerability?

An attacker with local administrator privileges could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node.

How do I get the update for Windows Admin Center (WAC) in Azure?

You can upgrade WAC in the Portal extension on your VM on Azure Portal by:

• Automatic upgrades: By default customers are onboarded to automatic upgrades where the latest version is auto-installed when it becomes available.
• If the automatic upgrade is not installed you can get the update by going to the server on Azure Portal that you use, as follows:
  • In Settings + extensions see 'AdminCenter'. If an update is available use the Update button next to "Update available' to install the update for your WAC extension.

For more information see Manage a Windows VM using Windows Admin Center in Azure