Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft's Windows Admin Center (Azure Portal edition) allows an authenticated low-privileged attacker to gain higher privileges by abusing symbolic link resolution before file access. The flaw, reported by Microsoft itself, carries a CVSS 7.8 with no public exploit identified at time of analysis, and a vendor patch is available via the Microsoft Security Response Center advisory.
Technical ContextAI
Windows Admin Center (WAC) in Azure Portal is Microsoft's browser-based server management console that integrates on-premises Windows Server administration into the Azure cloud experience. The root cause is CWE-59 (Improper Link Resolution Before File Access, a.k.a. 'link following'), in which the application accesses a file path without first verifying whether intermediate components are symbolic links, junctions, or hard links. On Windows, this class of bug typically lets a low-privileged user plant a reparse point so that a privileged service writes, reads, or deletes a target file outside its intended directory, enabling tampering with privileged binaries or configuration. The affected CPE is cpe:2.3:a:microsoft:windows_admin_center_in_azure_portal, confirming this is the Azure-hosted WAC component rather than the standalone gateway installation.
RemediationAI
Apply the vendor patch available per the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42834; the exact fixed build number is not included in the provided input and should be retrieved directly from MSRC before deployment. As a compensating control until patching completes, restrict interactive and remote logon to the Windows Admin Center host to trusted administrators only (using Restricted Groups, Just Enough Administration, or AppLocker) since exploitation requires local authenticated access, and audit the WAC installation directory and working folders for unexpected symlinks, junctions, or reparse points using fsutil reparsepoint query. Reducing the number of accounts with the SeCreateSymbolicLinkPrivilege on the affected host materially shrinks the attack surface but may interfere with developer or container workloads that legitimately create links.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31104
GHSA-33pm-33cg-5576