Critical Vulnerability in Windows Admin Center Allows Privilege Escalation
A significant security flaw has been identified in Microsoft’s Windows Admin Center (WAC), designated as CVE-2025-64669. This vulnerability affects WAC versions up to 2.4.2.1 and environments running WAC 2411 and earlier. The issue arises from insecure directory permissions on the folder C:\ProgramData\WindowsAdminCenter, which is writable by standard users but utilized by services operating with elevated privileges.
Scope and Impact
Windows Admin Center serves as a central management gateway for Windows Server, clusters, hyper-converged infrastructure, and Windows 10/11 endpoints. Consequently, this vulnerability has a broad impact across various technology layers. Organizations that depend on WAC for privileged administrative workflows, integrated extensions, or server management are at risk, particularly where standard users have local filesystem access on WAC hosts.
Discovery and Exploitation
Researchers at Cymulate discovered that what initially appeared to be a low-severity misconfiguration escalated into a critical design weakness. The writable WAC data directory hosts components and processes running under NETWORK SERVICE and even SYSTEM privileges. This combination effectively transforms a permissive filesystem configuration into a direct path to compromise the Windows security boundary.
By analyzing how WAC handles sensitive operations such as installation, updates, and extension management, the team identified two independent exploitation chains that allow a low-privileged user to obtain SYSTEM-level access:
1. Abusing the Extension Uninstall Mechanism: Decompiling the WAC .NET binaries with dnSpy, researchers located code that constructs an uninstall folder path under the WAC UI directory, enumerates all PowerShell scripts in that folder, and executes them with an AllSigned execution policy under a privileged context. Because the parent directory is writable by any user, an attacker who can place a signed PowerShell script in that uninstall folder can have it executed with elevated privileges whenever the corresponding extension is removed via the WAC UI or API.
2. Hijacking the Updater via a DLL Loading Flaw: The WAC updater component, WindowsAdminCenterUpdater.exe, loads DLLs from C:\ProgramData\WindowsAdminCenter\Updater, another location that is globally writable. Initial attempts at DLL hijacking failed due to a signature validation step that rejected unsigned libraries. However, a closer look at the flow revealed a classic time-of-check to time-of-use gap. Signature validation occurs within the main WindowsAdminCenter process before the updater executable is launched.
Mitigation and Recommendations
To mitigate the risks associated with CVE-2025-64669, organizations should take the following steps:
– Update Windows Admin Center: Ensure that WAC is updated to the latest version where this vulnerability has been addressed.
– Review Directory Permissions: Audit and modify directory permissions to restrict write access to critical folders such as C:\ProgramData\WindowsAdminCenter.
– Monitor for Unauthorized Changes: Implement monitoring to detect unauthorized changes to the WAC directories and components.
– Limit User Privileges: Restrict local filesystem access for standard users on WAC hosts to minimize potential exploitation vectors.
By proactively addressing these areas, organizations can reduce the risk of privilege escalation attacks stemming from this vulnerability.
