Severity
High
Analysis Summary
A newly disclosed local privilege escalation vulnerability in Microsoft Windows Admin Center (WAC), tracked as CVE-2025-64669, affects WAC versions up to 2.4.2.1 and environments running WAC 2411 and earlier. The flaw originates from insecure directory permissions on C:\ProgramData\WindowsAdminCenter, a location writable by standard users but trusted by services running with NETWORK SERVICE and SYSTEM privileges. Given that WAC is widely used as a centralized management gateway for Windows Server, clusters, hyper-converged infrastructure, and Windows 10/11 endpoints, the vulnerability presents a broad and high-impact risk across enterprise environments where local user access exists on WAC hosts.
Researchers discovered that what initially appeared to be a low-severity misconfiguration actually represented a critical design weakness that breaks Windows privilege boundaries. Their analysis showed that sensitive WAC operations such as extension handling, updates, and maintenance—implicitly trust content from globally writable directories. As a result, any organization using WAC for privileged administrative workflows or integrated extensions effectively inherits the risk, allowing low-privileged users to interfere with trusted processes.
Two reliable exploitation paths were identified that allow a standard local user to gain SYSTEM-level access. The first abuses the extension uninstall mechanism: during extension removal, WAC enumerates and executes signed PowerShell scripts from an “uninstall” directory under C:\ProgramData\WindowsAdminCenter\Extensions. Because this parent directory is writable, an attacker can place a signed script that will be executed with elevated privileges when the extension is uninstalled via the WAC UI or API. Cymulate demonstrated this by executing a payload that ran as NETWORK SERVICE or SYSTEM, confirming successful privilege escalation.
The second exploitation chain targets the WindowsAdminCenterUpdater.exe component through a DLL hijacking race condition. Although WAC performs signature validation on updater components, Cymulate identified a time-of-check to time-of-use gap. By rapidly placing a malicious DLL (such as user32.dll) into the writable updater directory after validation but before execution, attackers can bypass the check and achieve SYSTEM execution. Microsoft confirmed the issue, rated it Important, and assigned CVE-2025-64669. A fix was scheduled for the December 10 Patch Tuesday release, and Cymulate added a dedicated exposure validation scenario on December 15, 2025, enabling organizations to test their WAC gateways and assess detection and response capabilities.
Impact
- Privilege Escalation
- Gain Access
Indicators of Compromise
CVE
CVE-2025-64669
Affected Vendors
Remediation
- Immediately update Windows Admin Center to the latest version released by Microsoft that includes the fix from the December Patch Tuesday update.
- Restrict filesystem permissions on C:\ProgramData\WindowsAdminCenter and all its subdirectories to ensure only Administrators and required system accounts (SYSTEM, NETWORK SERVICE) have write access.
- Audit and harden WAC extension management, ensuring only trusted and necessary extensions are installed and regularly reviewing extension uninstall and update activities.
- Monitor for suspicious file activity within WAC directories, especially creation or modification of PowerShell scripts and DLL files by non-admin users.
- Deploy and tune EDR/SIEM detections to alert on anomalous execution of PowerShell scripts or DLL loads originating from WAC-related paths.
- Limit local user access on servers hosting Windows Admin Center and avoid allowing standard users to log in interactively to WAC hosts.
- Enable Windows Defender Exploit Guard / Attack Surface Reduction rules to block abuse of PowerShell and unauthorized DLL loading where possible.
- Validate exposure using security testing tools, such as Cymulate’s Exposure Validation scenario for CVE-2025-64669, to confirm remediation effectiveness.
- Regularly review Microsoft security advisories and apply WAC and Windows Server patches promptly as part of a formal patch management process.