A brand new native privilege escalation vulnerability in Microsoft’s Home windows Admin Heart (WAC), affecting variations as much as 2.4.2.1 and environments operating WAC 2411 and earlier.
Tracked as CVE-2025-64669, the flaw stems from insecure listing permissions on the folder C:ProgramDataWindowsAdminCenter, which is writable by normal customers but utilized by providers operating with elevated privileges.
As a result of Home windows Admin Heart is extensively deployed as a central administration gateway for Home windows Server, clusters, hyper-converged infrastructure and Home windows 10/11 endpoints, the difficulty has broad, technology-layer affect.
Cymulate Publicity Validation with the new assault state of affairs WindowsAdminCenter – CVE-2025-64669 Native Privilege Escalation
Any group counting on WAC for privileged administrative workflows, built-in extensions or server administration inherits the danger wherever normal customers have native filesystem entry on WAC hosts.
Cymulate researchers discovered that what initially seemed to be a low-severity misconfiguration shortly escalated right into a essential design weak spot.
The writable WAC information listing additionally hosts parts and processes operating beneath NETWORK SERVICE and even SYSTEM. This mixture successfully turned a permissive filesystem configuration right into a direct path to compromise the Home windows safety boundary.
By analyzing how WAC handles delicate operations akin to set up, updates and extension administration, the crew recognized two unbiased exploitation chains that each enable a low-privileged person to acquire SYSTEM-level entry: abusing the extension uninstall mechanism and hijacking the updater by way of a DLL loading flaw. Each paths are dependable and require solely native person rights on the WAC server.
Validate whether or not they’re affected by this CVE, and run the state of affairs in opposition to their Home windows Admin Heart gateway
Within the first state of affairs, the researchers targeted on the extension uninstall course of. Decompiling the WAC .NET binaries with dnSpy, they positioned code that constructs an “uninstall” folder path beneath the WAC UI listing, enumerates all PowerShel.ps1 scripts in that folder and executes them with an AllSigned execution coverage beneath a privileged context.
As a result of the father or mother listing is writable by any person, an attacker who can place a signed PowerShell script in that uninstall folder can have it executed with elevated privileges at any time when the corresponding extension is eliminated by way of the WAC UI or API.
For demonstration, Cymulate created a customized extension uninstall listing beneath C:ProgramDataWindowsAdminCenterExtensions, dropped in a signed script and triggered the uninstall move.
The payload ran as NETWORK SERVICE or SYSTEM and wrote its output to a public listing, clearly proving {that a} native normal person can piggyback on this trusted uninstall mechanism to escalate privileges.
The second exploitation path targets the WAC updater element, WindowsAdminCenterUpdater.exe. Throughout reverse engineering, Cymulate noticed that the updater masses DLLs from C:ProgramDataWindowsAdminCenterUpdater, one other location that’s globally writable.
Preliminary makes an attempt at DLL hijacking failed resulting from a signature validation step that rejected unsigned libraries. Nonetheless, a better take a look at the move revealed a traditional time-of-check to time-of-use hole.
Vulnerability Permits Privilege Escalation
Signature validation happens inside the principle WindowsAdminCenter course of earlier than the updater executable is launched. Cymulate exploited this by monitoring for the creation of WindowsAdminCenterUpdater.exe as a daily person and, the second it appeared, copying a malicious user32.dll into the updater listing.
This race situation allowed the attacker-controlled DLL to be loaded by the updater with out present process the prior validation, executing with SYSTEM privileges from a non-admin account.
Superior safety settings for WAC
Each exploitation methods reveal that WAC implicitly trusts content material loaded from a listing that any native person can modify, undermining the meant privilege separation on Home windows methods.
Microsoft confirmed the vulnerability, assigned CVE-2025-64669 an Necessary severity ranking and awarded Cymulate a 5,000 USD bug bounty.
To assist defenders assess and validate their publicity, on December 15, 2025, Cymulate up to date its Publicity Validation platform with a brand new state of affairs, “WindowsAdminCenter – CVE-2025-64669 Native Privilege Escalation.” Prospects can run this state of affairs in opposition to their Home windows Admin Heart gateways to check whether or not their configurations are susceptible and to guage how properly their SIEM, EDR and different endpoint safety controls detect and reply to the assault patterns.
In line with Cymulate’s disclosed timeline, the vulnerability was reported to Microsoft by way of MSRC on August 5, 2025, acknowledged on August 29 and rewarded on September 3.
On November 12, Microsoft knowledgeable the researchers {that a} CVE can be issued with Necessary severity and {that a} repair was deliberate for inclusion within the December 10 Patch Tuesday launch, underscoring the urgency for organizations to trace and apply the corresponding WAC updates as quickly as they develop into accessible.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
