CVE-2026-42834 – Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability

Windows Admin Center in Azure Portal contains an elevation of privilege vulnerability that could allow an authorized attacker to gain SYSTEM privileges. The vulnerability stems from improper link resolution before file access, commonly known as link following, which can enable an attacker with low privileges to manipulate file operations and elevate access rights. While Microsoft currently rates exploitation as less likely, successful exploitation would grant attackers full control over the affected system.

CVSS Score: 7.8

SEVERITY: Important

THREAT:
This vulnerability allows an attacker with low-privileged local access to elevate privileges and obtain SYSTEM-level rights. Once SYSTEM privileges are achieved, an attacker can execute administrative actions, access sensitive data, modify security settings, install malware, disable security controls, and maintain persistence on the compromised system.

EXPLOITS:
Microsoft reports that the vulnerability is not publicly disclosed and not currently exploited. No public proof-of-concept (PoC) exploit code has been confirmed. Microsoft assesses the vulnerability as Exploitation Less Likely.

TECHNICAL SUMMARY:
The vulnerability is associated with CWE-59: Improper Link Resolution Before File Access (‘Link Following’). The affected component improperly handles file operations involving links, allowing a low-privileged attacker to influence how files are accessed or processed. By exploiting this behavior, an attacker may redirect privileged operations to unintended targets and ultimately gain SYSTEM-level privileges. The attack requires low privileges and no user interaction. Successful exploitation impacts confidentiality, integrity, and availability at a high level.

EXPLOITABILITY:
Affected software includes the Windows Admin Center extension for Azure Portal, specifically AdminCenter (Microsoft.AdminCenter.AdminCenter). Exploitation requires local access and a low-privileged account. No user interaction is required. A successful attacker can elevate privileges to SYSTEM level on the affected machine.

BUSINESS IMPACT:
SYSTEM-level compromise effectively gives attackers complete control of the affected system. This can lead to theft of sensitive information, deployment of ransomware or malware, modification of security settings, disruption of critical services, and use of the compromised system as a launching point for further attacks within the environment. In cloud-connected environments, privilege escalation on administrative systems can create additional operational and security risks.

WORKAROUND:
Customers should install the latest version of the Windows Admin Center extension through the Azure Portal:

• Open the Extensions + Applications blade for the virtual machine.
• Search for AdminCenter (Microsoft.AdminCenter.AdminCenter).
• Add or update the extension using the standard Azure VM extension installation process.
• Restrict local administrative access and monitor for unusual privilege escalation activity until updates are deployed.