Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Windows Admin Center Flaw CVE-2025-64669 Enables SYSTEM Privilege Escalation

Published on: December 18, 2025

Share:
Windows Admin Center Flaw CVE-2025-64669 Enables SYSTEM Privilege Escalation

Overview

A high-severity local privilege escalation vulnerability has been identified in Microsoft Windows Admin Center (WAC). Tracked as CVE-2025-64669, the issue arises from insecure directory permissions within the Windows Admin Center data directories. These directories are writable by standard users but are accessed by services and components running with elevated privileges, including NETWORK SERVICE and SYSTEM.

An attacker with local, low-privileged access to a Windows Admin Center host can exploit this weakness to escalate privileges to SYSTEM, fully compromising the affected system. Microsoft has acknowledged the issue and released a fix as part of its December 2025 security updates.

Who It Impacts

This vulnerability impacts:

  • Organizations running Windows Admin Center as a centralized management gateway
  • Environments where standard (non-admin) users have local access to WAC hosts
  • Enterprises relying on WAC for privileged administrative workflows, server management, clusters, hyper-converged infrastructure, or Windows 10/11 endpoint administration

Any organization using Windows Admin Center in multi-user or shared environments is at elevated risk.

How It Impacts

The vulnerability is caused by overly permissive filesystem permissions on the directory:

C:\ProgramData\WindowsAdminCenter

This directory and its subcomponents are writable by standard users while being trusted by WAC services operating with elevated privileges.

Attackers can exploit this condition through multiple local privilege escalation paths, including:

  • Abuse of the extension uninstall mechanism, where PowerShell scripts placed in trusted directories are executed under elevated privileges
  • DLL hijacking of the WAC updater component, leveraging a time-of-check to time-of-use (TOCTOU) flaw

Successful exploitation allows a low-privileged local user to execute arbitrary code as SYSTEM, effectively bypassing Windows privilege boundaries and gaining full control of the host.

Targeted Products

  • Microsoft Windows Admin Center
    • Versions up to and including 2.4.2.1
    • Environments running WAC 2411 and earlier

Recommendations

Immediate Actions

  • Update Windows Admin Center immediately to the latest version released by Microsoft that addresses CVE-2025-64669 (December 2025 Patch Tuesday or later).
  • Identify all WAC installations across the environment and verify patch levels.

Additional Mitigations

  • Restrict local user access to systems hosting Windows Admin Center.
  • Review and harden filesystem permissions on:
  • Monitor systems for unexpected extension activity, updater execution, or privilege escalation behavior.
  • Where feasible, isolate Windows Admin Center gateways from general-purpose user access.

Long-Term Controls

  • Include Windows Admin Center in regular vulnerability scanning and patch compliance processes.
  • Strengthen endpoint detection and response (EDR) monitoring for abnormal service or DLL loading behavior.

References

← Back to all bulletins