CVE-2026-23660

HighLPE

Published: 10 March 2026

Published

10 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23660 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Windows Admin Center. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for logical access, addressing the improper access control that enables local privilege escalation.

AC-6 Least Privilege good match

prevent

Employs least privilege to restrict low-privilege local attackers from elevating privileges beyond necessary access.

AC-2 Account Management good match

prevent

Manages accounts and associated privileges to prevent provisioning of exploitable low-privilege accounts in Windows Admin Center.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct local privilege escalation via exploitation of improper access control flaw (CWE-284).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-23660 is an improper access control vulnerability affecting Azure Portal Windows Admin Center. Published on 2026-03-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control) with additional NVD-CWE-noinfo classification. The issue stems from flawed access controls that enable privilege escalation.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows privilege elevation on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

The Microsoft Security Response Center advisory provides further details on this vulnerability, including mitigation and patch guidance, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23660.

Details

CWE(s): CWE-284 NVD-CWE-noinfo

Affected Products

microsoft

windows admin center

≤ 2.6.4

CVEs Like This One

CVE-2026-26119Same product: Microsoft Windows Admin Center

CVE-2026-20965Same product: Microsoft Windows Admin Center

CVE-2025-54914Same vendor: Microsoft

CVE-2025-21359Same vendor: Microsoft

CVE-2026-27914Same vendor: Microsoft

CVE-2026-24303Same vendor: Microsoft

CVE-2026-21238Same vendor: Microsoft

CVE-2026-20929Same vendor: Microsoft

CVE-2025-21405Same vendor: Microsoft

CVE-2026-26183Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23660
Vendor Advisory · secure@microsoft.com