CVE-2026-20967
published 2026-03-10CVE-2026-20967: Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network.
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.3th percentile
Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | system_center_operations_manager | — | — |
| microsoft | system_center_operations_manager | — | — |
| microsoft | system_center_operations_manager | — | — |
| microsoft | system_center_operations_manager_2019 | >= 10.19.0 < 10.19.10658.0 | 10.19.10658.0 |
| microsoft | system_center_operations_manager_2022 | >= 10.22.0 < 10.22.11951.0 | 10.22.11951.0 |
| microsoft | system_center_operations_manager_2025 | >= 1.0.0 < 10.25.10377.0 | 10.25.10377.0 |
| msrc | system_center_operations_manager_2019 | — | — |
| msrc | system_center_operations_manager_2022 | — | — |
| msrc | system_center_operations_manager_2025 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →An attacker with any valid SCOM login can create a custom dashboard containing a PowerShell widget to execute arbitrary commands on the web console server — monitor for unexpected PowerShell widget creation or execution originating from SCOM web console processes. ↗
- →Successful exploitation results in SYSTEM-level privilege escalation on the SCOM web console server — alert on SCOM web console server processes spawning child processes with SYSTEM privileges. ↗
- ·Exploitation requires an authenticated SCOM account (any valid login); this is a network-based privilege escalation, not an unauthenticated attack. Detection should focus on authenticated sessions abusing the PowerShell widget feature. ↗
- ·The vulnerability is in the SCOM Web Console component specifically; patches are delivered as WebConsole MSP packages (KB5073251 for one release, KB5071859 and KB5073079 for others). Ensure the web console component is patched, not just the management server. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8gfh-97q4-r32h: Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network
ghsa_unreviewed·2026-03-10
CVE-2026-20967 [HIGH] CWE-20 GHSA-8gfh-97q4-r32h: Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network
Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network.
Microsoft
System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability
vendor_msrc·2026-03-10·CVSS 8.8
CVE-2026-20967 [HIGH] CWE-20 System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability
System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability
Description: Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network.
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
FAQ: How could an attacker exploit this vulnerability?
An attacker with any valid SCOM login could create a custom dashboard containing a PowerShell widget, allowing them to run commands on the web console server.
System Center Operations Manager: System Center Operations Manager
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Public
No detection rules found.
No public exploits indexed.
Sophos
March Patch Tuesday visits 15 product families
blogs_sophos·2026-03-13
March Patch Tuesday visits 15 product families
Akuter Cyberangriff? Fordern Sie Sofort-Hilfe an
Sophos Central
Partner-Portal
Lizenzen & Accounts
Sophos Home
Sophos Central
Sophos-Central-Anmeldung
Sophos KI
Integrationen
Threat Intelligence
Testversion
Endpoint Protection (Next-Gen Antivirus)
EDR – Endpoint Detection and Response
Server Protection
Mobile Security
XDR – Extended Detection and Response
XDR mit Next-Gen SIEM
ITDR – Identity Threat Detection and Response
Next-Gen Firewall (NGFW)
NDR – Network Detection and Response
Netzwerk-Switches
Wireless Access Points
Workspace Protection
Protected Browser
Zero Trust Network Access (ZTNA)
DNS Protection
Email Monitoring System
E-Mail- und Phishing-Schutz
Awareness-Training für Mitarbeitende
Schutz für Cloud Workloads
Cloud Security Posture Management (CSP
Bleepingcomputer
Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
blogs_bleepingcomputer·2026-03-10·CVSS 8.8
[HIGH] Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
## Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
## Lawrence Abrams
The number of bugs in each vulnerability category is listed below:
46 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
18 Remote Code Execution Vulnerabilities
10 Information Disclosure Vulnerabilities
4 Denial of Service Vulnerabilities
4 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 9 Microsoft Edge flaws, Mariner, Payment Orchestrator Service, Azure, and Microsoft Devices Pricing Program flaws fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the
Sophos
March Patch Tuesday visits 15 product families
blogs_sophos
March Patch Tuesday visits 15 product families
Share This
Microsoft on Tuesday released 84 patches affecting 15 product families – including a few you’ve possibly never encountered. Eight of the addressed issues are considered by Microsoft to be of Critical severity, though none of those affect Windows, nor are they expected to be exploited within the next 30 days. In addition, five of those Critical issues were in fact addressed by Microsoft in advance of Patch Tuesday itself, as we’ll discuss below. Twenty-two have a CVSS base score of 8.0 or higher, including one with a 9.8 base score. None are known to be under active exploit in the wild, but two are publicly disclosed so far.
At patch time, six CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable
2026-03-10
Published