cbcvebase.
CVE-2026-20967
published 2026-03-10

CVE-2026-20967: Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network.

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.3th percentile
Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network.

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftsystem_center_operations_manager
microsoftsystem_center_operations_manager
microsoftsystem_center_operations_manager
microsoftsystem_center_operations_manager_2019>= 10.19.0 < 10.19.10658.010.19.10658.0
microsoftsystem_center_operations_manager_2022>= 10.22.0 < 10.22.11951.010.22.11951.0
microsoftsystem_center_operations_manager_2025>= 1.0.0 < 10.25.10377.010.25.10377.0
msrcsystem_center_operations_manager_2019
msrcsystem_center_operations_manager_2022
msrcsystem_center_operations_manager_2025

Detection & IOCsextracted from sources · hover to see the quote

  • An attacker with any valid SCOM login can create a custom dashboard containing a PowerShell widget to execute arbitrary commands on the web console server — monitor for unexpected PowerShell widget creation or execution originating from SCOM web console processes.
  • Successful exploitation results in SYSTEM-level privilege escalation on the SCOM web console server — alert on SCOM web console server processes spawning child processes with SYSTEM privileges.
  • ·Exploitation requires an authenticated SCOM account (any valid login); this is a network-based privilege escalation, not an unauthenticated attack. Detection should focus on authenticated sessions abusing the PowerShell widget feature.
  • ·The vulnerability is in the SCOM Web Console component specifically; patches are delivered as WebConsole MSP packages (KB5073251 for one release, KB5071859 and KB5073079 for others). Ensure the web console component is patched, not just the management server.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.