📄 Description (English)
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
🤖 AI Executive Summary
CVE-2026-35438 is a high-severity privilege escalation vulnerability in Windows Admin Center affecting authorized users who can exploit missing authorization controls to gain elevated privileges over a network. With a CVSS score of 8.3, this vulnerability poses significant risk to organizations managing Windows infrastructure remotely. No patch is currently available, requiring immediate implementation of compensating controls and network segmentation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 18, 2026 08:37
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability significantly impacts Saudi government agencies (NCA, NCSC), banking sector (SAMA-regulated institutions, major banks), healthcare organizations (MOH facilities), and energy sector (ARAMCO, utilities). Windows Admin Center is widely deployed for remote infrastructure management across these critical sectors. The privilege escalation capability could allow attackers to compromise domain controllers, critical servers, and sensitive administrative functions, potentially affecting national critical infrastructure.
🏢 Affected Saudi Sectors
Government (NCA, NCSC, ministries)
Banking and Financial Services (SAMA-regulated)
Healthcare (MOH, private hospitals)
Energy and Utilities (ARAMCO, power generation)
Telecommunications (STC, Mobily, Zain)
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.1
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all Windows Admin Center deployments and identify authorized users with access
2. Implement network segmentation to restrict Windows Admin Center access to dedicated administrative networks only
3. Enable enhanced logging and monitoring on Windows Admin Center instances
4. Restrict Windows Admin Center access by IP address and require VPN for remote connections
5. Implement multi-factor authentication (MFA) for all Windows Admin Center administrative accounts
6. Review and audit all recent administrative actions in Windows Admin Center logs for suspicious activity
7. Disable Windows Admin Center if not actively required; use alternative management tools with stronger authorization controls
8. Apply principle of least privilege - remove unnecessary administrative roles and permissions
DETECTION RULES:
- Monitor for unauthorized privilege escalation attempts in Windows Admin Center event logs (Event ID 4672, 4673)
- Alert on access to sensitive administrative functions from unexpected user accounts
- Track changes to user roles and permissions within Windows Admin Center
- Monitor network traffic to Windows Admin Center for anomalous patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع نشرات Windows Admin Center وتحديد المستخدمين المصرحين بالوصول
2. تنفيذ تقسيم الشبكة لتقييد وصول Windows Admin Center إلى شبكات إدارية مخصصة فقط
3. تفعيل السجلات المحسنة والمراقبة على مثيلات Windows Admin Center
4. تقييد وصول Windows Admin Center حسب عنوان IP وطلب VPN للاتصالات البعيدة
5. تنفيذ المصادقة متعددة العوامل (MFA) لجميع حسابات Windows Admin Center الإدارية
6. مراجعة وتدقيق جميع الإجراءات الإدارية الأخيرة في سجلات Windows Admin Center للنشاط المريب
7. تعطيل Windows Admin Center إذا لم يكن مطلوباً بنشاط؛ استخدام أدوات إدارة بديلة بضوابط تفويض أقوى
8. تطبيق مبدأ أقل امتياز - إزالة الأدوار والأذونات الإدارية غير الضرورية
قواعد الكشف:
- مراقبة محاولات رفع الامتيازات غير المصرح بها في سجلات Windows Admin Center (معرف الحدث 4672، 4673)
- تنبيهات الوصول إلى الوظائف الإدارية الحساسة من حسابات مستخدم غير متوقعة
- تتبع التغييرات في أدوار المستخدمين والأذونات داخل Windows Admin Center
- مراقبة حركة المرور إلى Windows Admin Center للأنماط الشاذة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authorization
ECC 2024 A.9.4.3 - Password management and access control
ECC 2024 A.8.2.3 - Segregation of duties
ECC 2024 A.12.4.1 - Event logging and monitoring
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset management and inventory
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.AC-4 - Access rights and privileges management
SAMA CSF DE.CM-1 - System monitoring and detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
PCI DSS 7.1 - Limit access to system components by business need to know
PCI DSS 8.2 - Ensure proper user identification and authentication
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 1