Imagine a critical vulnerability lurking in the heart of your Windows infrastructure, silently waiting to grant attackers the keys to your kingdom. That's the chilling reality of CVE-2025-64669, a newly discovered local privilege escalation flaw in Microsoft's Windows Admin Center (WAC). But here's where it gets even more alarming: this isn't just a theoretical threat. It's a gaping hole affecting versions up to 2.4.2.1 and environments running WAC 2411 and earlier, potentially impacting countless organizations worldwide.
At its core, the issue stems from a seemingly innocuous oversight: insecure directory permissions on the C:\ProgramData\WindowsAdminCenter folder. This folder, writable by any standard user, is also where services running with elevated privileges store critical data. And this is the part most people miss: because WAC serves as a central management hub for Windows Server, clusters, hyper-converged infrastructure, and Windows 10/11 endpoints, the implications are far-reaching. Any organization relying on WAC for administrative tasks is inherently at risk if standard users have local filesystem access on WAC hosts.
Cymulate researchers initially dismissed this as a low-severity misconfiguration. But their deeper investigation revealed a critical design flaw. The writable WAC directory hosts components and processes running under privileged accounts like NETWORK SERVICE and even SYSTEM. This means a malicious actor could exploit this permissive configuration to bypass Windows' security boundaries entirely.
The researchers identified two distinct exploitation paths. The first involves abusing the extension uninstall mechanism. By placing a signed PowerShell script in the writable uninstall folder, an attacker can trigger its execution with elevated privileges when an extension is removed. Cymulate demonstrated this by creating a custom extension, dropping a signed script, and successfully escalating privileges to NETWORK SERVICE or SYSTEM.
The second path targets the WAC updater component, WindowsAdminCenterUpdater.exe. Through reverse engineering, Cymulate discovered a classic time-of-check to time-of-use vulnerability. By exploiting a race condition, an attacker can replace a legitimate DLL with a malicious one during the updater's initialization, gaining SYSTEM-level access from a non-admin account.
Both techniques highlight a fundamental trust issue: WAC blindly trusts content loaded from a directory accessible to all local users, completely undermining Windows' privilege separation model. This raises a controversial question: should critical management tools like WAC be designed with such inherent vulnerabilities?
Microsoft has acknowledged the severity, assigning CVE-2025-64669 an 'Important' rating and rewarding Cymulate with a $5,000 bug bounty. A patch is scheduled for the December 10th Patch Tuesday release. However, the urgency cannot be overstated. Organizations must prioritize updating their WAC installations as soon as the fix becomes available.
To aid defenders, Cymulate has updated its Exposure Validation platform with a dedicated scenario for testing vulnerability to this exploit. This allows organizations to assess their risk and evaluate the effectiveness of their SIEM, EDR, and other security controls.
What do you think? Is Microsoft doing enough to address these critical vulnerabilities? Should organizations reconsider their reliance on centralized management tools like WAC? Let us know your thoughts in the comments below. And don't forget to follow us on Google News, LinkedIn, and X for the latest cybersecurity updates. Got a story to share? Contact us to get featured!
