CVE-2026-20965: Tenant-Wide RCE via Azure Windows Admin Center

Cymulate Research Labs discovered a critical vulnerability, CVE-2026-20965, in Azure Windows Admin Center (WAC) that allows an attacker with local administrator access on one machine to achieve tenant-wide Remote Code Execution (RCE). Microsoft has released version 0.70.00 of the Windows Admin Center Azure Extension to patch this flaw, which stems from improper token validation in the Azure AD Single Sign-On implementation.