A high-severity vulnerability in Home windows Admin Heart’s Azure Single Signal-On implementation has uncovered Azure digital machines and Arc-connected methods to unauthorized entry throughout complete tenants.
Cymulate Analysis Labs found the flaw, now tracked as CVE-2026-20965, which demonstrates how improper token validation can collapse safety boundaries between particular person machines and full Azure environments.
Microsoft patched the problem by way of Home windows Admin Heart Azure Extension v0.70.00 on January 13, 2026, following Cymulate’s August 2025 disclosure. All unpatched deployments under this model stay uncovered.
CVE IDDescriptionSeverityCVSS ScoreAffected VersionsPatchCVE-2026-20965Improper token validation in WAC Azure SSO permits mixing stolen WAC.CheckAccess token with cast PoP token for lateral motion.HighNot but printed < 0.70.00v0.70.00
Exploitation requires native admin on a WAC-enabled Azure VM or Arc machine, plus a privileged person connecting by way of Azure Portal. No wild exploitation reported, however retrospective detection suggested, Cymulate added.
Home windows Admin Heart makes use of two tokens: WAC.CheckAccess (verifies role-based entry by way of UPN) and PoP-bound token (browser-generated key pair prevents replay).
Flaws embrace no UPN matching between tokens, acceptance of cross-tenant PoP tokens, non-gateway URLs in PoP (e.g., direct IP by way of port 6516), reused nonces, and unscoped WAC.CheckAccess granting tenant-wide entry.
JIT entry exposes port 6516 to all IPs, not simply gateway DNS, enabling direct forgery with out DNS discovery. This collapses VM isolation, permitting impersonation of admins throughout useful resource teams.
Assault Chain
Dump WAC cert, cease service, run rogue server.
Seize admin’s WAC.CheckAccess token throughout portal connection.
Enumerate targets by way of metadata/subnet.
Forge PoP utilizing attacker tenant: generate keys, bind by way of refresh token, insert goal useful resource ID/IP.
Ship InvokeCommand with blended tokens for RCE on any accessible WAC machine.
Repeat for chaining.
Permits lateral motion, privilege escalation, credential theft, cross-subscription compromise, and evasion by way of faux UPNs.
Detection Steerage
Monitor for WAC digital accounts like [email protected], indicating abuse.
KQL Question for Suspicious Logons:
textDeviceLogonEvents
| the place Timestamp > in the past(30d)
| the place AccountName has “@”
| the place not(AccountName has “”)
| mission Timestamp, DeviceName, AccountName, ActionType, LogonType
| order by Timestamp desc
Flag anomalous WAC exercise: new identities on targets, InvokeCommand spikes in trusted contexts.
IOCs:
Port 6516 open by way of JIT NSG (all sources).
Rogue WAC processes/providers.
Combined-tenant UPN logons.
Unscoped PoP token reuse.
Replace to v0.70.00 instantly. Improve NSG/JIT to gateway-only. Monitor WAC logs for anomalies.
This flaw underscores Azure SSO dangers: refined validation gaps allow local-to-cloud pivots, bypassing segmentation. Prioritize patching and simulation testing.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
