Critical Azure AD SSO Flaw in Windows Admin Center Puts Entire Tenants at Risk

Microsoft has patched a severe vulnerability in its Azure AD Single Sign-On (SSO) integration with Windows Admin Center (WAC) that allowed attackers to bypass authentication and gain unauthorized access to any machine within an affected Azure tenant. Tracked as CVE-2026-20965, this flaw impacted all Azure virtual machines and Arc-connected systems running WAC Azure Extension versions below 0.70.00. The discovery highlights ongoing challenges in cloud identity security and underscores the risks of misconfigured SSO systems in hybrid environments.

Summary of the Vulnerability

The root of the problem lies in improper token validation within WAC. During Azure SSO authentication, WAC relies on two tokens: a Check the Access token, which verifies user permissions, and a Proof-of-Possession (PoP) token, cryptographically tied to browser-generated keys. The system failed to ensure that both tokens belonged to the same user identity.

Exploiting this oversight, attackers could combine a stolen access token from a privileged administrator with their own forged PoP token, effectively impersonating the administrator without valid Azure credentials. The vulnerability was further amplified by WAC’s Just-in-Time (JIT) access configuration, which exposed the WAC API port (6516) to all IPs, allowing attackers to connect without knowing the gateway DNS.

Successful exploitation required the attacker to have local administrator privileges on a WAC-enabled Azure VM or Arc-connected machine. Once a privileged user initiated a connection via Windows Admin Center, the attacker could capture tokens, escalate privileges, execute commands remotely with administrative rights, and move laterally across all WAC-enabled machines in the tenant.

The attack allowed logical cloud boundary breaches, letting threat actors pivot from a single virtual machine to entire resource groups and subscriptions. Complicating detection, forged requests originated from non-existent users within the victim tenant, making tracking and mitigation more challenging.

Microsoft addressed the issue with Windows Admin Center Azure Extension version 0.70.00, released on January 14, 2026. Security teams are urged to update immediately and monitor for suspicious virtual account creation, particularly accounts following the format WAC_[identity]@[tenant].onmicrosoft.com. Cymulate has also released an automated validation tool that scans subscriptions to identify vulnerable machines, helping teams prioritize remediation.

What Undercode Say:

This vulnerability represents a wake-up call for Azure administrators. While cloud environments are often thought of as logically isolated, WAC’s token mismanagement shows that a single misconfiguration can allow attackers to compromise an entire tenant. The combination of token forgery and JIT exposure is particularly dangerous because it exploits the very mechanisms designed to secure administrative access.

Administrators should treat token-based authentication with the same scrutiny as network security. Multi-layered validation, including cross-verification of all tokens, is critical. The attack also highlights the importance of monitoring privileged sessions in real-time. Tools like Cymulate’s exposure validation can help detect weak points before attackers exploit them.

From an operational standpoint, this vulnerability underscores the risks of hybrid and cloud-extended environments, where local admin access on a single VM can turn into tenant-wide compromise. Companies should adopt a least-privilege model, minimize Just-in-Time exposure where possible, and ensure that security updates are applied consistently across all Arc-connected systems.

The fact that the malicious requests originated from non-existent users also points to the need for behavioral analytics. Traditional logging might miss these attacks entirely, but anomaly detection and correlation across tokens, sessions, and access patterns could provide early warning.

In addition, this incident emphasizes the growing need for identity-centric security strategies. Organizations can no longer rely solely on perimeter controls; they must validate every identity, device, and session in real-time, particularly when privileged access is involved.

Finally, the incident demonstrates that attackers are increasingly targeting the administrative tooling itself, rather than just exploiting cloud misconfigurations. WAC, intended to simplify administration, became the attack vector, showing that usability and security must be balanced carefully.

Fact Checker Results:

✅ CVE-2026-20965 affects Azure VMs and Arc-connected systems running WAC < 0.70.00.
✅ Microsoft patched the vulnerability in WAC Azure Extension version 0.70.00 on January 14, 2026.
❌ Exploitation requires local administrator privileges on at least one machine; remote attacks without local access are not feasible.

Prediction:

Given the severity of this flaw, we anticipate a spike in targeted attacks against hybrid cloud environments using similar token-based exploits. Organizations may increasingly adopt automated token validation and anomaly detection tools to prevent lateral movement. Cybersecurity vendors will likely release real-time monitoring solutions for privileged accounts in WAC and other administrative portals. Expect cloud providers to tighten SSO token validation policies and reduce Just-in-Time exposure in default configurations. ✅⚠️

If you want, I can also create a visual attack flow diagram showing exactly how this vulnerability allows lateral movement across an Azure tenant—it would make the risk much easier to grasp for teams. Do you want me to do that next?