A new local privilege escalation vulnerability in Microsoft’s Windows Admin Center (WAC), affecting versions up to 2.4.2.1 and environments running WAC 2411 and earlier.
Tracked as CVE-2025-64669, the flaw stems from insecure directory permissions on the folder C:\ProgramData\WindowsAdminCenter, which is writable by standard users yet used by services running with elevated privileges.
Because Windows Admin Center is widely deployed as a central management gateway for Windows Server, clusters, hyper-converged infrastructure and Windows 10/11 endpoints, the issue has broad, technology-layer impact.
Any organization relying on WAC for privileged administrative workflows, integrated extensions or server management inherits the risk wherever standard users have local filesystem access on WAC hosts.
Cymulate researchers found that what initially appeared to be a low-severity misconfiguration quickly escalated into a critical design weakness.
The writable WAC data directory also hosts components and processes running under NETWORK SERVICE and even SYSTEM. This combination effectively turned a permissive filesystem configuration into a direct path to compromise the Windows security boundary.
By analyzing how WAC handles sensitive operations such as installation, updates and extension management, the team identified two independent exploitation chains that both allow a low-privileged user to obtain SYSTEM-level access: abusing the extension uninstall mechanism and hijacking the updater via a DLL loading flaw. Both paths are reliable and require only local user rights on the WAC server.
In the first scenario, the researchers focused on the extension uninstall process. Decompiling the WAC .NET binaries with dnSpy, they located code that constructs an “uninstall” folder path under the WAC UI directory, enumerates all PowerShel.ps1 scripts in that folder and executes them with an AllSigned execution policy under a privileged context.
Because the parent directory is writable by any user, an attacker who can place a signed PowerShell script in that uninstall folder can have it executed with elevated privileges whenever the corresponding extension is removed via the WAC UI or API.
For demonstration, Cymulate created a custom extension uninstall directory under C:\ProgramData\WindowsAdminCenter\Extensions\
The payload ran as NETWORK SERVICE or SYSTEM and wrote its output to a public directory, clearly proving that a local standard user can piggyback on this trusted uninstall mechanism to escalate privileges.
The second exploitation path targets the WAC updater component, WindowsAdminCenterUpdater.exe. During reverse engineering, Cymulate observed that the updater loads DLLs from C:\ProgramData\WindowsAdminCenter\Updater, another location that is globally writable.
Initial attempts at DLL hijacking failed due to a signature validation step that rejected unsigned libraries. However, a closer look at the flow revealed a classic time-of-check to time-of-use gap.
Signature validation occurs within the main WindowsAdminCenter process before the updater executable is launched. Cymulate exploited this by monitoring for the creation of WindowsAdminCenterUpdater.exe as a regular user and, the moment it appeared, copying a malicious user32.dll into the updater directory.
This race condition allowed the attacker-controlled DLL to be loaded by the updater without undergoing the prior validation, executing with SYSTEM privileges from a non-admin account.
Both exploitation techniques demonstrate that WAC implicitly trusts content loaded from a directory that any local user can modify, undermining the intended privilege separation on Windows systems.
Microsoft confirmed the vulnerability, assigned CVE-2025-64669 an Important severity rating and awarded Cymulate a 5,000 USD bug bounty.
To help defenders assess and validate their exposure, on December 15, 2025, Cymulate updated its Exposure Validation platform with a new scenario, “WindowsAdminCenter – CVE-2025-64669 Local Privilege Escalation.” Customers can run this scenario against their Windows Admin Center gateways to test whether their configurations are vulnerable and to evaluate how well their SIEM, EDR and other endpoint security controls detect and respond to the attack patterns.
According to Cymulate’s disclosed timeline, the vulnerability was reported to Microsoft via MSRC on August 5, 2025, acknowledged on August 29 and rewarded on September 3.
On November 12, Microsoft informed the researchers that a CVE would be issued with Important severity and that a fix was planned for inclusion in the December 10 Patch Tuesday release, underscoring the urgency for organizations to track and apply the corresponding WAC updates as soon as they become available.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
