Listen to this Post
How CVE-2026-35438 Works
CVE-2026-35438 is an elevation-of-privilege (EoP) vulnerability in Microsoft’s Windows Admin Center (WAC). The flaw stems from missing authorization checks within the management tool’s core logic. WAC is a browser-based application designed to manage Windows servers, clusters, and PCs, handling tasks like performance monitoring, configuration management, and, critically, installing software updates. These update operations are executed with the highest possible system-level privileges (SYSTEM context) to ensure they can modify protected system files and configurations.
The vulnerability resides in how WAC validates the path from which it retrieves and installs updates. Specifically, the application fails to properly authorize and validate the integrity of the update source before executing the installer with high privileges. This means a low-privileged attacker—someone with a standard user account, perhaps from a compromised service or initial beachhead—can manipulate the update mechanism.
By abusing this flaw, the attacker can redirect the update process from its legitimate source to a malicious file they control, such as a crafted dynamic-link library (DLL) or script. When the Windows Admin Center service triggers an update, whether automatically or manually, it follows the attacker-controlled path. The system then executes the attacker’s payload with full SYSTEM-level permissions, believing it is installing a legitimate update. This action effectively bypasses the entire privilege boundary.
The technical root cause is suspected to be a classic authorization bypass (CWE-862: Missing Authorization), combined with insufficient input validation in the update path. Attackers can exploit this through various means, including path traversal techniques or time-of-check-time-of-use (TOCTOU) race conditions. In a TOCTOU attack, the attacker swaps a legitimate temporary update file with a malicious payload in the brief window between the system’s permission check and the file’s execution. The high CVSS base score of 8.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H) reflects the low attack complexity and the minimal privileges required for exploitation, leading to a high impact on system integrity and availability. Simply put, anyone with an authenticated low-privilege foothold on a server running a vulnerable version of Windows Admin Center can become SYSTEM.
DailyCVE Form:
Platform: Windows Admin Center
Version: Pre-May-2026 updates
Vulnerability : Missing Authorization
Severity: High (8.3 CVSS)
date: 2026-05-12
Prediction: 2026-06-02
What Undercode Say:
Undercode’s analytics highlight the critical exposure. The primary risk is that exploitation is trivial for an authenticated attacker. Undercode suggests defenders immediately audit their Windows Admin Center deployments. Use PowerShell to check for vulnerable versions and enforce strict access controls. Network segmentation is critical; the management gateway should not be accessible from low-trust networks. Implement continuous monitoring for suspicious child processes spawned by the `ServerManagement.exe` or `WAC` service, as this is a key indicator of exploitation.
Undercode recommended check for vulnerable WAC version
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Admin Center" | Select-Object Version
Command to check for suspicious SYSTEM-level child processes
Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq (Get-Process -Name "ServerManagement").Id } | Format-List
Exploit:
A low-privileged attacker can exploit CVE-2026-35438 by manipulating the WAC update path to execute arbitrary code with SYSTEM privileges. The attacker first locates the temporary update directory used by WAC. They then place a malicious DLL, script, or executable in that path or redirect the update mechanism to their payload. When the WAC service initiates an update check, it retrieves and executes the attacker’s code instead of the legitimate update file, granting full system control.
A simplified conceptual exploit sequence is:
- Identify the target running a vulnerable WAC version.
- Prepare a malicious payload (e.g., a reverse shell executable) and place it in a writeable location accessible to the WAC service.
- Manipulate the update path by modifying configuration or injecting data to point to the malicious payload.
- Trigger an update via the WAC interface or wait for an automatic check.
- Execute: The WAC service runs the payload with SYSTEM privileges, compromising the host.
Protection:
- Apply Patches Immediately: Microsoft released a security update on May 12, 2026. Apply this patch from the Microsoft Security Update Guide without delay.
- Restrict Access: Enforce the principle of least privilege. Limit the number of users with access to Windows Admin Center. Use network firewalls to restrict access to the WAC gateway only from trusted administrative networks.
- Monitor System Logs: Enable detailed logging on WAC servers. Monitor for unusual child process creation from the `ServerManagement.exe` process and for any unexpected modifications to WAC’s configuration files.
Impact:
Successful exploitation of CVE-2026-35438 grants the attacker SYSTEM-level privileges on the compromised machine. With this highest level of access, the attacker can:
– Completely disable security controls (e.g., antivirus, EDR, logging).
– Exfiltrate sensitive data, including plaintext credentials and configuration files.
– Use the compromised server as a pivot point for lateral movement to other servers and domain controllers within the network.
– Deploy ransomware or establish persistent backdoors, leading to a full-scale network takeover.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

