Critical Azure Identity Token Vulnerability Exposes Entire Tenants to Unauthorized Access
A significant security flaw has been identified in the Windows Admin Center’s (WAC) Azure Single Sign-On (SSO) implementation, potentially allowing unauthorized access across entire Azure tenants. This vulnerability, designated as CVE-2026-20965, was discovered by Cymulate Research Labs and has been addressed by Microsoft in the Windows Admin Center Azure Extension version 0.70.00, released on January 13, 2026.
Understanding the Vulnerability
The core of this vulnerability lies in the improper validation of identity tokens within WAC’s Azure SSO mechanism. Specifically, the flaw permits the combination of a stolen WAC.CheckAccess token with a forged Proof of Possession (PoP) token, facilitating unauthorized lateral movement within Azure environments.
Technical Breakdown
Windows Admin Center utilizes two primary tokens for authentication:
1. WAC.CheckAccess Token: This token verifies role-based access by checking the User Principal Name (UPN).
2. PoP-Bound Token: Generated by the browser, this token employs a key pair to prevent replay attacks.
The identified vulnerabilities include:
– UPN Mismatch: There’s no validation ensuring that the UPNs in both tokens match.
– Cross-Tenant PoP Token Acceptance: PoP tokens from different tenants are accepted without scrutiny.
– Non-Gateway URLs in PoP Tokens: PoP tokens can reference non-gateway URLs, such as direct IP addresses via port 6516.
– Nonce Reuse: The system allows the reuse of nonces, which can undermine security measures.
– Unscoped WAC.CheckAccess Token: This token grants access across the entire tenant without specific scoping.
Additionally, the Just-In-Time (JIT) access feature exposes port 6516 to all IP addresses, not just the gateway DNS. This exposure enables attackers to forge tokens directly without needing DNS discovery, effectively collapsing the isolation between virtual machines and allowing impersonation of administrators across different resource groups.
Potential Attack Chain
An attacker could exploit this vulnerability through the following steps:
1. Certificate Extraction and Service Manipulation: The attacker extracts the WAC certificate, stops the WAC service, and initiates a rogue server.
2. Token Capture: During an administrator’s connection via the Azure Portal, the attacker captures the WAC.CheckAccess token.
3. Target Enumeration: The attacker identifies potential targets through metadata and subnet information.
4. PoP Token Forgery: Using their own tenant, the attacker generates keys, binds them via a refresh token, and inserts the target resource ID or IP address.
5. Remote Code Execution (RCE): The attacker sends an InvokeCommand with the mixed tokens to execute code on any accessible WAC machine.
6. Lateral Movement: The attacker repeats the process to move laterally within the network.
This sequence enables lateral movement, privilege escalation, credential theft, cross-subscription compromise, and evasion through the use of fake UPNs.
Detection and Mitigation Strategies
To detect potential exploitation of this vulnerability, organizations should:
– Monitor for Anomalous Logins: Keep an eye out for WAC virtual accounts, such as [email protected], which may indicate abuse.
– Analyze Logon Events: Utilize Kusto Query Language (KQL) to identify suspicious logon activities.
– Flag Unusual WAC Activity: Be alert to new identities on target machines and spikes in InvokeCommand usage within trusted contexts.
Indicators of Compromise (IOCs) include:
– Open Port 6516: Especially when exposed via JIT Network Security Group (NSG) to all sources.
– Rogue WAC Processes or Services: Unexpected WAC-related processes or services running on systems.
– Mixed-Tenant UPN Logins: Logins from UPNs associated with different tenants.
– Unscoped PoP Token Reuse: Instances where PoP tokens are reused without proper scoping.
Immediate Actions Required
Organizations are strongly advised to:
– Update Windows Admin Center: Ensure that all deployments are updated to version 0.70.00 or later to patch this vulnerability.
– Restrict NSG/JIT Configurations: Limit access to the gateway only, reducing exposure to potential attacks.
– Monitor WAC Logs: Regularly review logs for any anomalies that could indicate exploitation attempts.
This vulnerability underscores the critical importance of robust token validation processes within Azure SSO implementations. Even subtle validation gaps can enable attackers to pivot from local systems to cloud environments, effectively bypassing segmentation controls. Organizations must prioritize timely patching and conduct thorough simulation testing to ensure their environments remain secure.
