CVE-2026-56196: Update Windows Admin Center to 2.7.4

Microsoft has fixed CVE-2026-56196, a CVSS 8.8 Windows Admin Center remote code execution vulnerability, in Windows Admin Center build 2.7.4. Administrators running any Windows Admin Center release from 1809.0 through versions earlier than 2.7.4 should treat the update as a near-term priority: the flaw requires authentication, but successful exploitation can give an attacker code execution through a management platform that often holds delegated access to servers, clusters, Hyper-V hosts, and Windows PCs.
Microsoft’s Security Response Center published the advisory on July 14, 2026. The associated CVE record describes the bug as relative path traversal—CWE-23—and says an authorized attacker can execute code over a network. NIST’s National Vulnerability Database reflects Microsoft’s 8.8 High CVSS v3.1 rating, with network access, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
The important distinction is not whether the issue is technically “remote”—it is—but where the attack begins. This is not an unauthenticated, internet-wormable WAC gateway flaw. An attacker must first have valid access. In environments where Windows Admin Center is exposed to broad administrator groups, reused help-desk credentials, or a compromised management workstation, that precondition may be far less reassuring than it sounds.

A Windows Admin Center dashboard shows a patched gateway blocking remote code execution and path traversal attacks.Build 2.7.4 Is the Security Baseline​

Microsoft’s Windows Admin Center team says the Windows Admin Center 2606 release installer was updated to build 2.7.4 on July 9, ahead of the July 14 public disclosure. The build includes multiple security improvements covering elevation-of-privilege and remote-code-execution issues; CVE-2026-56196 is one of several Windows Admin Center vulnerabilities acknowledged in this month’s security release.
For this CVE, the affected-version boundary is unusually straightforward: Windows Admin Center versions earlier than 2.7.4 are affected. The remediation target is therefore Windows Admin Center 2.7.4 or later, not a particular Windows cumulative update or Server KB. That matters for patch-management teams that may successfully deploy July Windows updates while leaving the separately installed management gateway untouched.
Windows Admin Center is a browser-based remote-management tool rather than a Windows Server role patched solely through the operating system servicing stack. It can run as a local client installation, a dedicated gateway server used by several administrators, a managed-server installation, or in other distributed management designs. The gateway is the asset to find first.
Microsoft’s own deployment guidance favors a separate management PC or gateway over managing a server locally through an installation on that same server. From a security perspective, CVE-2026-56196 strengthens the case for that separation: a gateway should be an intentionally protected management-plane system, not a forgotten utility installed on an application server or cluster node.

Why an Authenticated Path Traversal Still Deserves Urgency​

Relative path traversal bugs arise when an application fails to properly constrain file paths supplied during an operation. In broad terms, an attacker may try to use crafted path components to escape an intended directory and reach another location. Microsoft has not publicly documented the vulnerable request path, affected WAC feature, or exact execution chain for CVE-2026-56196, and administrators should avoid assuming that speculative proof-of-concept details accurately describe the issue.
The CVSS vector does make several practical points clear. The vulnerable service is reachable over the network, exploitation has low complexity, and no victim interaction is required once the attacker has the required privileges. The vector also indicates the impact remains within the vulnerable security authority rather than crossing a separate security boundary—but that does little to reduce concern when the vulnerable authority is a Windows Admin Center gateway trusted to perform administration.
Windows Admin Center’s role is the reason this vulnerability merits attention beyond its “Important” label. The product can manage services, local users and groups, scheduled tasks, certificates, firewall settings, registry values, storage, updates, virtual machines, and PowerShell sessions. Microsoft documentation also notes that WAC can use the administrator’s security context when managing a remote node. A compromise or abuse of a gateway can therefore become a pivot point into the systems it administers.
CISA’s SSVC data, as reflected by NVD, currently records exploitation as “none” and the issue as not automatable. Those are useful prioritization signals, not grounds to defer. They mean there is no public indication of active exploitation and no indication that the bug is suitable for broad automated compromise at this time. They do not change the vendor-confirmed vulnerability, the low-complexity network attack condition, or the total technical impact assessed in the same record.

Start With the Gateways You Forgot You Had​

The first operational task is inventory. WAC deployments tend to proliferate because the product is convenient: one admin installs it on a Windows 11 workstation for an ad-hoc server task, another deploys a shared gateway, and an old lab or branch-office system remains in use long after central tooling has changed.
Administrators should identify every installed Windows Admin Center instance, including dedicated gateway servers, administrator workstations, management jump hosts, cluster-adjacent installations, and systems used for remote support. Do not limit the search to a server team’s documented gateway list. The relevant question is whether the Windows Admin Center application is installed and reachable by any user who can sign in.
A compact remediation sequence is appropriate here:
  • Upgrade every Windows Admin Center gateway and local installation below build 2.7.4 to build 2.7.4 or a newer supported release.
  • Verify the installed application build after deployment rather than relying only on software-distribution success status.
  • Review which accounts and groups can access each gateway, especially standing local administrators and Windows Admin Center administrator roles.
  • Restrict gateway network exposure to administration workstations, jump hosts, VPN ranges, or other explicitly required management networks.
  • Review gateway logs and identity-provider sign-in records for unusual authenticated access while the update is being rolled out.
The version check deserves emphasis. Windows Admin Center has had release and build-number presentation differences in the past, and Microsoft notes that the UI can show differing version information for some releases. Organizations should validate the version through the installed application’s own reporting and their endpoint inventory rather than assuming a broad “Windows Admin Center 2606” label proves the patched build is present.

Access Controls Become the Interim Mitigation​

If change control prevents an immediate upgrade, reduce the number of people and systems that can reach the gateway. This is not a substitute for patching, but it directly addresses the vulnerability’s authenticated attack requirement.
The best temporary posture is a management gateway reachable only from hardened administrative endpoints, with access limited to named administrators who need it. Review whether broad domain groups, service accounts, contractors, or legacy support accounts retain access. Remove unused connections and stale administrator memberships; require phishing-resistant multifactor authentication where the organization’s identity design supports it; and ensure externally exposed WAC gateways are not simply reachable from any trusted corporate subnet.
Administrators should also examine the gateway’s relationship to managed nodes. A WAC instance may be deliberately low privilege in one environment yet have highly privileged delegated credentials or administrator access across domain controllers, Hyper-V hosts, failover clusters, and file servers in another. The same CVE therefore has a sharply different business impact depending on the gateway’s scope.
Microsoft’s July 2026 update cycle includes other Windows Admin Center vulnerabilities, including additional remote-code-execution and elevation-of-privilege issues. That is another argument for treating 2.7.4 as a maintenance release to deploy as a package, rather than attempting to make a risk decision on CVE-2026-56196 in isolation.
The immediate milestone is simple: every WAC deployment should be at build 2.7.4 or later, and every shared gateway should have a documented owner and a deliberately narrow access path. The public record currently shows no known exploitation, but Windows Admin Center is too close to the administrative control plane to leave an authenticated RCE unpatched while that remains true.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: encyb.com
  3. Official source: learn.microsoft.com
  4. Official source: techcommunity.microsoft.com
 

Back
Top