Windows Admin Center installations earlier than version 2.7.4 are vulnerable to CVE-2026-58631, an improper-authorization flaw that can let an authenticated attacker execute code on the gateway host. Microsoft disclosed the vulnerability on July 14, 2026, rated it Important, and assigned it a CVSS 3.1 base score of 7.8.
Administrators running Windows Admin Center should update the gateway to version 2.7.4 or later rather than relying on the monthly Windows cumulative update alone. The vulnerability belongs to Windows Admin Center itself, so patching Windows Server or Windows 11 does not necessarily update a separately installed WAC gateway.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-58631 affects Windows Admin Center versions from 1809 through builds earlier than 2.7.4. Microsoft describes the underlying weakness as improper authorization, tracked as CWE-285.
Despite being titled a Windows Admin Center remote code execution vulnerability, Microsoft’s CVSS vector classifies the attack vector as local. Exploitation requires low privileges, low complexity, and no interaction from another user.
The complete CVSS 3.1 vector is
That distinction matters for triage, but it should not be mistaken for low impact. Microsoft says successful exploitation could fully compromise confidentiality, integrity, and availability within the affected security scope. The likely concern is that limited access to an administration platform could be converted into code execution on the machine hosting that platform.
Windows Admin Center gateways are particularly sensitive systems because they sit between administrators and managed infrastructure. WAC can be used to administer Windows Server machines, failover clusters, Hyper-V hosts, virtual machines, storage, certificates, firewall rules, services, and PowerShell operations. Compromise of the gateway can therefore become a staging point for credential theft, lateral movement, or manipulation of systems that the gateway is trusted to manage.
The CVSS scope remains unchanged, meaning Microsoft’s score does not automatically treat the vulnerability as crossing into a separate security authority. Operationally, however, the permissions, credentials, and network reach available to a WAC deployment will determine how far an attacker could move after compromising its host.
This inventory needs to include more than the obvious production portal. Enterprises may have standalone gateways for separate administrative teams, Windows Admin Center instances installed directly on managed servers, high-availability deployments, test systems, jump hosts, and older installations retained for compatibility. Forgotten management tools are often especially risky because they retain broad connectivity while falling outside normal application-patching workflows.
Microsoft supports updating non-preview Windows Admin Center releases through Microsoft Update or by installing a newer WAC package manually. Organizations that block automatic product updates, maintain offline networks, or distribute approved software through Configuration Manager, Microsoft Intune, or another deployment system should confirm that version 2.7.4 has entered their software catalog.
An effective response should cover several concrete steps:
At publication time, however, the advisory does not provide a detailed attack narrative, affected WAC component, proof-of-concept code, or indicators tied specifically to exploitation. The National Vulnerability Database is also awaiting its own enrichment work and currently displays Microsoft’s supplied score.
CISA’s initial assessment records no known exploitation and describes the attack as not readily automatable. That lowers the immediate urgency compared with a pre-authentication vulnerability already appearing in ransomware operations, but it does not justify postponing the update. The absence of observed exploitation on disclosure day is a point-in-time assessment, not evidence that exploitation is impossible or will remain uncommon.
Microsoft’s low-complexity rating is the more important warning for administrators. Once an attacker satisfies the local-access and privilege prerequisites, the vulnerability reportedly does not demand unusually difficult conditions or user interaction. Public analysis of the changed WAC package could also reveal more about the vulnerable authorization path after defenders and attackers compare versions.
The advisory’s limited technical detail makes preventive patching more dependable than trying to construct a narrow detection rule. Until more indicators become available, monitoring should focus on behavior around the WAC gateway: unusual process execution, unexpected PowerShell or command-shell launches, newly installed services, altered administrators, suspicious outbound connections, and access from identities or endpoints that do not normally manage servers.
That cluster of vulnerabilities makes the WAC upgrade more than a single-CVE exercise. Administrators validating version 2.7.4 should test the corrected release as a consolidated security update for the management plane, including sign-in, certificate handling, extensions, remote PowerShell, cluster management, Hyper-V operations, and any high-availability configuration.
The most exposed gateways should move first: systems reachable from broad user networks, deployments accessible outside a privileged administration segment, and WAC hosts managing domain controllers, virtualization clusters, or other high-value servers. Test gateways with no production credentials can follow a normal maintenance schedule, but they should not remain indefinitely on a vulnerable build simply because they are labeled non-production.
CVE-2026-58631 is not currently described as an unauthenticated remote takeover or an exploited zero-day. It is still a code-execution flaw in a privileged Windows management product, with a Microsoft-confirmed fix and a clearly defined vulnerable version range. For enterprise IT, the practical deadline is therefore uncomplicated: locate every Windows Admin Center gateway and get it to version 2.7.4 before limited administrative access can become control of the management host.
Administrators running Windows Admin Center should update the gateway to version 2.7.4 or later rather than relying on the monthly Windows cumulative update alone. The vulnerability belongs to Windows Admin Center itself, so patching Windows Server or Windows 11 does not necessarily update a separately installed WAC gateway.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-58631 affects Windows Admin Center versions from 1809 through builds earlier than 2.7.4. Microsoft describes the underlying weakness as improper authorization, tracked as CWE-285.
The “Remote” Label Hides a Local Attack Requirement
Despite being titled a Windows Admin Center remote code execution vulnerability, Microsoft’s CVSS vector classifies the attack vector as local. Exploitation requires low privileges, low complexity, and no interaction from another user.The complete CVSS 3.1 vector is
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, an attacker must already possess some degree of authorized access or a way to operate locally in the relevant WAC environment. This is not presented as an unauthenticated, internet-wide compromise in which an arbitrary visitor can simply browse to the management interface and execute code.That distinction matters for triage, but it should not be mistaken for low impact. Microsoft says successful exploitation could fully compromise confidentiality, integrity, and availability within the affected security scope. The likely concern is that limited access to an administration platform could be converted into code execution on the machine hosting that platform.
Windows Admin Center gateways are particularly sensitive systems because they sit between administrators and managed infrastructure. WAC can be used to administer Windows Server machines, failover clusters, Hyper-V hosts, virtual machines, storage, certificates, firewall rules, services, and PowerShell operations. Compromise of the gateway can therefore become a staging point for credential theft, lateral movement, or manipulation of systems that the gateway is trusted to manage.
The CVSS scope remains unchanged, meaning Microsoft’s score does not automatically treat the vulnerability as crossing into a separate security authority. Operationally, however, the permissions, credentials, and network reach available to a WAC deployment will determine how far an attacker could move after compromising its host.
Version 2.7.4 Is the Security Boundary
The published affected-version record identifies Windows Admin Center releases earlier than 2.7.4 as vulnerable. That gives administrators a straightforward remediation target: inventory each gateway, verify its installed build, and upgrade anything below Windows Admin Center 2.7.4.This inventory needs to include more than the obvious production portal. Enterprises may have standalone gateways for separate administrative teams, Windows Admin Center instances installed directly on managed servers, high-availability deployments, test systems, jump hosts, and older installations retained for compatibility. Forgotten management tools are often especially risky because they retain broad connectivity while falling outside normal application-patching workflows.
Microsoft supports updating non-preview Windows Admin Center releases through Microsoft Update or by installing a newer WAC package manually. Organizations that block automatic product updates, maintain offline networks, or distribute approved software through Configuration Manager, Microsoft Intune, or another deployment system should confirm that version 2.7.4 has entered their software catalog.
An effective response should cover several concrete steps:
- Administrators should identify every Windows Admin Center gateway and record its installed version, host operating system, exposure, and authentication configuration.
- Any gateway running a build earlier than 2.7.4 should be upgraded after an appropriately short validation cycle.
- Internet-facing access should be removed or restricted unless it is explicitly required and protected by a controlled administrative access path.
- WAC access should be limited to dedicated administrator identities, with multifactor authentication and privileged-access controls where the deployment supports them.
- Security teams should review gateway logs and endpoint telemetry for unexpected child processes, service changes, PowerShell activity, or configuration modifications.
- Credentials and delegated permissions available to the WAC gateway should be reviewed so that compromise of one management host does not automatically expose the entire server estate.
Confidence Is High, but Exploit Detail Is Sparse
The existence of CVE-2026-58631 is confirmed by Microsoft, which acts as the CVE numbering authority for the affected product. The public record identifies the vulnerable product range, the authorization weakness, the access conditions, and the potential impact. That gives defenders high confidence that the vulnerability is real and that upgrading to 2.7.4 is the intended correction.At publication time, however, the advisory does not provide a detailed attack narrative, affected WAC component, proof-of-concept code, or indicators tied specifically to exploitation. The National Vulnerability Database is also awaiting its own enrichment work and currently displays Microsoft’s supplied score.
CISA’s initial assessment records no known exploitation and describes the attack as not readily automatable. That lowers the immediate urgency compared with a pre-authentication vulnerability already appearing in ransomware operations, but it does not justify postponing the update. The absence of observed exploitation on disclosure day is a point-in-time assessment, not evidence that exploitation is impossible or will remain uncommon.
Microsoft’s low-complexity rating is the more important warning for administrators. Once an attacker satisfies the local-access and privilege prerequisites, the vulnerability reportedly does not demand unusually difficult conditions or user interaction. Public analysis of the changed WAC package could also reveal more about the vulnerable authorization path after defenders and attackers compare versions.
The advisory’s limited technical detail makes preventive patching more dependable than trying to construct a narrow detection rule. Until more indicators become available, monitoring should focus on behavior around the WAC gateway: unusual process execution, unexpected PowerShell or command-shell launches, newly installed services, altered administrators, suspicious outbound connections, and access from identities or endpoints that do not normally manage servers.
July’s WAC Fixes Deserve Their Own Change Window
CVE-2026-58631 was not the only Windows Admin Center vulnerability disclosed in Microsoft’s July 2026 security release. The Patch Tuesday catalog also includes CVE-2026-56196, another WAC remote code execution issue, along with elevation-of-privilege vulnerabilities CVE-2026-57107 and CVE-2026-56169 and information-disclosure vulnerability CVE-2026-56185. BleepingComputer’s July Patch Tuesday review lists all five among the month’s Windows Admin Center fixes.That cluster of vulnerabilities makes the WAC upgrade more than a single-CVE exercise. Administrators validating version 2.7.4 should test the corrected release as a consolidated security update for the management plane, including sign-in, certificate handling, extensions, remote PowerShell, cluster management, Hyper-V operations, and any high-availability configuration.
The most exposed gateways should move first: systems reachable from broad user networks, deployments accessible outside a privileged administration segment, and WAC hosts managing domain controllers, virtualization clusters, or other high-value servers. Test gateways with no production credentials can follow a normal maintenance schedule, but they should not remain indefinitely on a vulnerable build simply because they are labeled non-production.
CVE-2026-58631 is not currently described as an unauthenticated remote takeover or an exploited zero-day. It is still a code-execution flaw in a privileged Windows management product, with a Microsoft-confirmed fix and a clearly defined vulnerable version range. For enterprise IT, the practical deadline is therefore uncomplicated: locate every Windows Admin Center gateway and get it to version 2.7.4 before limited administrative access can become control of the management host.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: learn.microsoft.com
- Related coverage: encyb.com
Encyb SOC Advisory Report Windows Admin Center Privilege Escalation Vulnerability
PDF documentencyb.com
- Related coverage: tomshardware.com
Windows 11 August 2025 security update is causing unintended UAC prompts to appear for non-admin users — some apps are crashing | Tom's Hardware
Windows 11's latest security update can wreak some havoc, but there are workarounds.www.tomshardware.com - Official source: techcommunity.microsoft.com
- Official source: microsoft.com
Windows Admin Center | Microsoft
Use Microsoft Windows Admin Center to manage servers securely and efficiently, allowing you to move from installation to server management in less than five minutes.www.microsoft.com