CVE-2026-1680 Overview
CVE-2026-1680 is an improper access control vulnerability [CWE-250] in the Windows Communication Foundation (WCF) endpoint of Edgemo Local Admin Service 1.2.7.23180, a product now owned by Danoffice IT. The service exposes a named pipe through LocalAdminService.exe that enforces group membership checks on the client side rather than the server side. A local authenticated user can communicate directly with the named pipe, bypass the client-side validation, and elevate privileges to the local Administrators group.
Critical Impact
Any local user on an affected Windows endpoint can gain local administrator privileges by sending crafted requests directly to the LocalAdminService.exe named pipe.
Affected Products
- Danoffice IT (formerly Edgemo) Local Admin Service 1.2.7.23180 on Windows
- Deployments using the legacy Edgemo Local Admin Service component
- Workplace Management installations that bundle the Local Admin Service
Discovery Timeline
- 2026-01-30 - CVE-2026-1680 published to the National Vulnerability Database
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-1680
Vulnerability Analysis
The Local Admin Service is a Windows tool that allows authorized users to temporarily elevate themselves into the local Administrators group. The product is implemented as a Windows service hosting a WCF endpoint over a named pipe. The official client application, intended for end users, validates the requester's group membership before forwarding any elevation request to the service.
The vulnerability stems from the placement of that authorization check. The service trusts the client to perform the membership validation. The WCF endpoint itself accepts requests from any local caller able to open the pipe. An attacker who connects to the named pipe directly, without using the legitimate client binary, never triggers the membership check and the server processes the elevation request as authorized.
This is a classic confused deputy condition tracked under [CWE-250] (Execution with Unnecessary Privileges). The service runs as LocalSystem and performs privileged group modifications on behalf of callers it cannot reliably authenticate or authorize.
Root Cause
The root cause is server-side reliance on client-side authorization. The WCF service contract exposed by LocalAdminService.exe does not enforce its own access control list on inbound named pipe connections, and it does not validate that the calling process belongs to an authorized group before performing privileged actions.
Attack Vector
Exploitation requires local access and low privileges on the target Windows host. An attacker enumerates the named pipe exposed by LocalAdminService.exe, builds a WCF client against the published contract, and invokes the elevation method directly. Because the server does not re-check the caller's group membership, the request succeeds and the attacker's account is added to the local Administrators group.
For implementation details, see the Retest Local Privilege Escalation Advisory.
Detection Methods for CVE-2026-1680
Indicators of Compromise
- Unexpected additions to the local Administrators group on hosts running LocalAdminService.exe, especially for accounts that should not have elevation rights.
- Connections to the Local Admin Service named pipe originating from processes other than the legitimate vendor client binary.
- Security event 4732 (member added to a security-enabled local group) generated by the LocalAdminService.exe process for unauthorized users.
Detection Strategies
- Audit Windows Security logs for event IDs 4732 and 4720 correlated with LocalAdminService.exe as the calling process.
- Hunt for non-standard processes opening handles to named pipes registered by LocalAdminService.exe using Sysmon event ID 17 and 18.
- Baseline which user accounts legitimately use the Local Admin Service and alert on any elevation request from accounts outside that list.
Monitoring Recommendations
- Forward Windows Security, Sysmon, and service logs from endpoints running the Local Admin Service to a centralized analytics platform for retrospective hunting.
- Track the parent-child process tree around LocalAdminService.exe to identify unauthorized WCF clients.
- Generate alerts for any change to local group membership outside of approved change windows.
How to Mitigate CVE-2026-1680
Immediate Actions Required
- Inventory endpoints running Danoffice IT (Edgemo) Local Admin Service 1.2.7.23180 and prioritize remediation on multi-user and shared workstations.
- Contact Danoffice IT to obtain a fixed build or written guidance on safe deployment of the Local Admin Service.
- Restrict local logon rights on affected hosts to reduce the population of users able to reach the vulnerable named pipe.
Patch Information
At the time of NVD publication on 2026-01-30, no vendor advisory or patched build is referenced in the CVE record. Administrators should consult Danoffice IT directly and monitor the DanOfficeIT Workplace Management Guide for updates.
Workarounds
- Uninstall or stop the LocalAdminService Windows service on hosts where temporary elevation is not required.
- Apply a host firewall or named pipe ACL that restricts access to the Local Admin Service pipe to a narrow administrative group.
- Replace the affected component with a server-side authorized elevation mechanism such as Microsoft LAPS or an EPM solution until a fixed version is released.
# Disable the vulnerable Windows service from an elevated PowerShell prompt
Stop-Service -Name "LocalAdminService" -Force
Set-Service -Name "LocalAdminService" -StartupType Disabled
Get-Service -Name "LocalAdminService" | Select-Object Name, Status, StartType
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
