Notifications
Clear all
Topic starter
06/06/2026 11:21 am
TL;DR: Microsoft patched CVE-2026-26119 in Windows Admin Center after research showed authentication reflection could let a low-privileged domain user coerce machine authentication, relay it to the management gateway, and reach SYSTEM access, with full domain compromise possible under the right conditions, according to Semperis. The issue shows how relay-resistant assumptions fail when web-based admin tools depend on authentication flows that were never designed for hostile coercion.
NHIMG editorial — based on content published by Semperis: Windows Admin Center authentication reflection, CVE-2026-26119, and domain compromise risk
By the numbers:
- Microsoft released an out-of-band patch for Windows Admin Center with CVE-2026-26119 on February 17, 2026.
- The initial fix was released on January 13, 2026 as CVE-2026-20929.
- The vulnerability was submitted to Microsoft on July 8th, 2025.
Questions worth separating out
Q: What breaks when authentication reflection is possible on a privileged Windows admin portal?
A: The trust boundary breaks between the client session and the management action.
Q: Why do Windows admin gateways create such high-risk identity exposure when AD CS is nearby?
A: Because the management plane is no longer just an interface.
Q: How can security teams tell whether channel binding protections are actually working?
A: They should validate the control by testing reflected and relayed authentication flows on each supported host version and gateway path.
Practitioner guidance
- Map every privileged web console to its downstream identity blast radius Inventory whether the management plane can reach AD CS, domain controllers, or other trust anchors.
- Verify where channel binding is enforced in the stack Test whether EPA or equivalent CBT enforcement happens in the app, the reverse proxy, or HTTP.SYS, and confirm the behaviour on every Windows version you support.
- Block coercion paths that can trigger machine authentication Harden RPC, DCOM, and other coercion vectors that let an attacker force machine auth toward an HTTP endpoint.
What's in the full analysis
Semperis's full analysis covers the operational detail this post intentionally leaves for the source:
- Request-by-request reproduction of the authentication reflection sequence and the exact endpoint behaviour involved
- Payload construction details for command execution and reverse-shell testing against Windows Admin Center
- The patch chronology across CVE-2026-20929 and CVE-2026-26119, including the EPA and HTTP.SYS changes
- Additional countermeasures for coercion paths, signing, and RPC filtering that were not expanded here
👉 Read Semperis's analysis of Windows Admin Center authentication reflection and CVE-2026-26119 →
Windows Admin Center authentication reflection: what teams missed?
Explore further
06/06/2026 12:06 pm
Authentication reflection is a trust failure, not just a web bug. The problem is that the gateway accepted identity material in a way that assumed the transport and the client context were trustworthy. That assumption breaks when an attacker can coerce and replay authentication across protocols, which is why admin-plane identity controls need to be validated at the binding layer, not only at login. Practitioners should treat reflected authentication as a privilege boundary collapse, not a nuisance flaw.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly delegated access can outgrow governance.
A question worth separating out:
Q: Who is accountable when a management portal allows relay into certificate infrastructure?
A: Accountability sits with the system owner, the platform team, and the identity team together, because the failure spans application design, host enforcement, and downstream trust architecture. Frameworks such as NIST CSF and zero trust treat that as shared control ownership, not a single-team defect.
👉 Read our full editorial: Windows Admin Center reflection flaw exposed a domain compromise path
