Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
A security flaw has been discovered in Microsoft’s Windows Admin Center (WAC) . Essentially, a permissions error could allow any standard user to take control of a server.
The Cymulate Research Labs team has published a new report detailing the discovery of CVE-2025-64669, a Local Privilege Escalation (LPE) vulnerability (CVSS 7.8). This vulnerability affects the most popular versions of the infrastructure management tool. In short, it’s a vulnerability that could jeopardize server security.
The news came after an in-depth analysis by the research team, which focused on the issue. Apparently, the security flaw is a guest star in the most popular versions of WAC. A malicious user could easily exploit this flaw to gain administrator privileges and thus take full control of the server, which is truly unsettling.
The problem stems from a very simple configuration error: a very important system folder was left unlocked. Researchers discovered that the C:ProgramDataWindowsAdminCenter directory was set to be accessible to all standard users, including write access. This error essentially allowed attackers to gain control. Now, thanks to Microsoft’s fix, the flaw has been closed.
The vulnerability was caused by a failure to protect the folder, which was configured to be accessible to everyone, without many restrictions. This allowed standard users to write to the directory without being blocked. The discovery of the vulnerability prompted Microsoft to take action, and network security has now been strengthened.
“The root cause lies in insecure directory permissions, where the C:ProgramDataWindowsAdminCenter folder is writable by all standard users,” the report states . This oversight allowed any low-privileged user on the system to tamper with files used by the more powerful Admin Center processes . “Standard users with access to the underlying file system can exploit this misconfiguration to escalate privileges.”
Finding a writable folder is one thing; weaponizing it is another. Researchers have identified two distinct ways to exploit this flaw, but the most ingenious method involved fooling the WAC updater.
The team’s discovery revealed that a DLL hijacking attack could be performed on the WindowsAdminCenterUpdater.exe process. However , the update featured a protection mechanism that validated digital signatures before uploading files.
“We almost gave up, but then we noticed something interesting,” the researchers wrote. They realized that the validation process presented a small window of vulnerability, a classic ” Time-of-Check Time-of-Use” (TOCTOU) flaw. “The validation process occurs within the WindowsAdminCenter process itself and, upon completion, calls and opens WindowsAdminCenterUpdater.exe.”
Microsoft has assigned the CVE-2025-64669 issue and awarded the Cymulate team a $5,000 reward for their findings. Administrators using Windows Admin Center are encouraged to immediately update to version 2411 or later to address this critical vulnerability.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
