Windows Admin Center: The 'Sudo' Command You Didn't Know You Had

Windows Admin Center (WAC) is the darling of modern Microsoft infrastructure management. It’s sleek, it’s web-based, and it consolidates everything—Server Manager, Failover Clustering, Hyper-V—into one browser tab. To make this magic happen, WAC uses a Gateway Service (ServerManagementGateway.exe). This gateway is the middleman; it takes your HTTP clicks, translates them into PowerShell or WMI calls, and fires them off to the managed servers. Because it needs to do heavy lifting, the Gateway itself usually runs with high privileges (often SYSTEM or a dedicated high-priv service account) or utilizes complex delegation mechanisms like CredSSP to impersonate the user.

Here is the catch: When you build a proxy that acts on behalf of others, your impersonation logic better be bulletproof. If the gateway gets confused about who is asking for a command versus who it is executing the command as, you have a problem. CVE-2026-26119 is exactly that problem.

Imagine a bank teller (the Gateway) who is supposed to check your ID before letting you into the vault. In this scenario, you show them a library card (low privileges), but you slip them a note saying, 'Actually, I'm the CEO,' and they just believe you without checking the signature. That is the essence of this vulnerability. It turns the WAC Gateway into a confused deputy that happily elevates your mundane requests into administrative decrees.

The root cause lies deep within the authentication handling of the Windows Admin Center Gateway Service. Specifically, the flaw is a textbook Improper Authentication (CWE-287) issue combined with a failure in privilege context switching. The WAC Gateway exposes various API endpoints to the frontend. When a user logs in, they are issued a token or session cookie. For most operations, the Gateway checks this token to ensure the user has the right to view a page.

However, when it comes to executing commands (the dangerous part), the validation logic fell short. The vulnerability implies that the checks performed by the Gateway were strictly checking if a user was authenticated, but failed to robustly validate the authorization scope for specific high-privilege operations, or potentially trusted user-controlled input to determine the execution context.

Technical analysis suggests that the service fails to properly validate authentication tokens when handling requests for high-privileged operations. This means a low-privileged user—someone who perhaps only has rights to view event logs—can craft a request that targets an administrative API endpoint. Instead of rejecting the request with a 403 Forbidden, the Gateway processes it. Why? Because the code likely decoupled the 'authentication' (Are you a valid user?) from the 'authorization' (Can you do this specific thing?), and the latter check was either missing or bypassable via token manipulation.

While Microsoft has not released the exact source code, we can reconstruct the vulnerability pattern based on the behavior of ServerManagementGateway.exe and typical .NET middleware flaws. The vulnerable logic likely resembles a pattern where the authorization context is derived from a mutable request parameter rather than the immutable identity token.

Consider the following reconstructed pseudo-code representing the flawed logic:

// VULNERABLE LOGIC (Conceptual)
public async Task<IActionResult> ExecuteCommand([FromBody] CommandRequest request)
{
    // 1. Check if the user is logged in (Authentication)
    if (!this.User.Identity.IsAuthenticated)
    {
        return Unauthorized();
    }
 
    // 2. THE BUG: The code trusts the 'TargetRole' specified in the request
    // or fails to cross-reference it against the User's actual claims.
    var executionContext = request.TargetRole == "Admin" 
        ? _adminContext 
        : _userContext;
 
    // 3. Execute the PowerShell script
    return await _powerShellRunner.Run(request.Script, executionContext);
}

In the corrected version (Patch 2.6.4), the logic forces a strict validation against the backend access control list (ACL) or the actual delegated credentials, ignoring any client-side suggestions of privilege:

// PATCHED LOGIC (Conceptual)
public async Task<IActionResult> ExecuteCommand([FromBody] CommandRequest request)
{
    // 1. Authenticate
    if (!this.User.Identity.IsAuthenticated) return Unauthorized();
 
    // 2. THE FIX: Explicitly validate permissions against the backend identity source
    if (request.RequiresAdmin && !this.User.IsInRole("WAC_Admins"))
    {
        // Hard stop if the user isn't actually an admin
        return Forbid("Insufficient privileges for this operation.");
    }
 
    // 3. Use the user's OWN identity for execution, never a cached generic admin context
    return await _powerShellRunner.Run(request.Script, this.User.Identity);
}

The patch effectively removes the 'trust' the Gateway placed in the request parameters, enforcing a server-side truth about who the user actually is.

To exploit this, an attacker needs Valid Accounts (T1078) on the WAC instance. This is not an unauthenticated RCE; it is an insider threat or compromised credential scenario. Once inside, the exploitation path is straightforward but devastating.

Step 1: Reconnaissance The attacker logs into WAC with their low-level account. They open the browser's Developer Tools (F12) and monitor the network traffic while performing basic allowed actions. They are looking for API calls to endpoints like /_api/nodes/{target}/features/powershell.

Step 2: Token/Header Manipulation The attacker identifies the request responsible for executing scripts. They copy this request to a tool like Burp Suite or Postman. They modify the payload. If the system expects a script block, they inject a command to add themselves to the local administrators group: Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\LowPrivUser"

Step 3: The Bypass The critical step involves manipulating the headers. The attacker might modify custom headers used by the WAC Gateway for session tracking, or simply replay the request to an administrative endpoint that typically requires higher clearance. Due to the CVE-287 flaw, the Gateway processes the Add-LocalGroupMember command using its own high-privilege context (or a cached admin context) rather than the user's restricted context.

Step 4: Persistence Once the command executes, the attacker's user is now a local administrator on the target machine. They can now RDP in, dump credentials (LSASS), or move laterally to the Domain Controller.

Windows Admin Center is often used to manage Tier 0 assets—Domain Controllers, Hyper-V clusters, and Backup servers. A compromise here is Game Over for the entire domain.

Confidentiality: An attacker can access sensitive files, configuration data, and potentially credential stores on managed nodes. If WAC manages virtual machines, the attacker could snapshot and download active directory database files (ntds.dit).

Integrity: The ability to modify system configurations allows for the installation of backdoors, disabling of EDR/Antivirus solutions, and the manipulation of firewall rules to permit C2 traffic.

Availability: The most immediate threat is ransomware. With administrative access to the management gateway, an attacker can push a ransomware binary to every managed server simultaneously using WAC's own legitimate deployment features, encrypting the entire infrastructure in minutes.

Microsoft has released version 2.6.4 to address this vulnerability. The update hardens the authentication logic within the Gateway Service, ensuring that every API call is strictly validated against the user's actual token claims before execution.

Immediate Actions:

1. Patch: Update all instances of Windows Admin Center to 2.6.4 or higher immediately. This is the only effective fix.
2. Kill Sessions: After patching, restart the WAC service to invalidate any active sessions that might be exploiting the flaw.
3. Audit: Check the Gateway Users group on the WAC server. Ensure only authorized personnel have access to log in at all. Even with the patch, WAC is a high-value target.

Defense in Depth: If you cannot patch immediately (why?), you must restrict access to the WAC interface. Use network segmentation to ensure only a jump box or specific management subnet can reach the WAC HTTPS port. Do not expose WAC to the open internet—that's just asking for trouble, vulnerability or not.