Mike

🚨 CVE‑2026‑20965: Azure Identity Token Flaw Enables Tenant‑Wide Compromise via Windows Admin Center Cymulate Research Labs has disclosed a high‑severity vulnerability in the Azure AD Single Sign‑On (SSO) integration of Windows Admin Center (WAC). The flaw allows an attacker with local administrator rights on a single machine to escalate privileges, execute remote code, and move laterally across all Azure VMs and Arc‑connected systems within the same tenant—even without valid Azure credentials. Any Azure VM or Arc‑joined machine running an unpatched Windows Admin Center Azure Extension below version 0.70.00 is exposed. Since version 0.69.0.0 was only released in January 2026, this effectively means all deployments with the WAC Azure extension are at risk unless updated. For defenders, the critical questions now are: What is the blast radius, and which internet‑facing Azure or Arc‑connected VMs are running the vulnerable WAC Azure extension? These systems could provide attackers with a foothold for remote code execution and lateral movement across the tenant. The below Defender XDR advance hunting KQL query that helps security teams quickly identify Azure and Arc‑joined VMs running the WAC Azure extension so they can prioritize patching and containment.🫡 #Cybersecurity #WACAzureExtension #RCE #DefenderXDR

Due to U.S. telco networks being compromised, today CISA is recommending: 1. Use only end-to-end encrypted communications 2. Enable Fast Identity Online (FIDO) phishing-resistant authentication 3. Migrate away from Short Message Service (SMS)-based MFA 4. Use a password manager to store all passwords 5. Set a Telco PIN 6. Regularly update software 7. Opt for the latest hardware version from your cell phone manufacturer 8. Do not use a personal virtual private network (VPN)