Cyber Resilience

CVE-2026-23660

HighLPE

Published: 10 March 2026

Published
10 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23660 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Windows Admin Center. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-23660 is an improper access control vulnerability affecting Azure Portal Windows Admin Center. Published on 2026-03-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control) with additional NVD-CWE-noinfo classification. The issue stems from flawed access controls that enable privilege escalation.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows privilege elevation on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

The Microsoft Security Response Center advisory provides further details on this vulnerability, including mitigation and patch guidance, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23660.

EU & UK References

Vulnerability details

Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via exploitation of improper access control flaw (CWE-284).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41086Same product: Microsoft Windows Admin Center
CVE-2026-35438Same product: Microsoft Windows Admin Center
CVE-2026-20965Same product: Microsoft Windows Admin Center
CVE-2026-42834Same product: Microsoft Windows Admin Center
CVE-2026-26119Same product: Microsoft Windows Admin Center
CVE-2026-42823Same vendor: Microsoft
CVE-2025-24076Same vendor: Microsoft
CVE-2025-21359Same vendor: Microsoft
CVE-2026-24290Same vendor: Microsoft
CVE-2026-40420Same vendor: Microsoft

Affected Assets

microsoft
windows admin center
≤ 2.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for logical access, addressing the improper access control that enables local privilege escalation.

prevent

Employs least privilege to restrict low-privilege local attackers from elevating privileges beyond necessary access.

prevent

Manages accounts and associated privileges to prevent provisioning of exploitable low-privilege accounts in Windows Admin Center.

References