{"id":20953,"date":"2026-02-03T17:29:00","date_gmt":"2026-02-03T14:29:00","guid":{"rendered":"https:\/\/oberig-it.com\/uncategorized\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/"},"modified":"2026-02-27T17:30:49","modified_gmt":"2026-02-27T14:30:49","slug":"windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges","status":"publish","type":"post","link":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/","title":{"rendered":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges"},"content":{"rendered":"<p>Security researchers have uncovered a critical vulnerability in Microsoft\u2019s Windows Admin Center (WAC) that enables standard users to escalate privileges to SYSTEM by exploiting insecure folder permissions and flawed update mechanisms.<\/p>\n<p>The flaw, tracked as CVE-2025-64669, affects all versions up to WAC 2411 and poses a significant threat to enterprise infrastructure management systems worldwide.<\/p>\n<h4>The Core Vulnerability<\/h4>\n<p>The vulnerability stems from dangerous misconfigurations in the C:\\ProgramData\\WindowsAdminCenter directory, which is writable by all standard users.<\/p>\n<p>Cymulate researchers discovered that privileged processes load content directly from this improperly secured folder, creating multiple attack vectors that can be chained to breach Windows security boundaries.<\/p>\n<p>Microsoft has <a href=\"https:\/\/cymulate.com\/blog\/cve-2025-64669-windows-admin-center\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">confirmed<\/span><\/a> the vulnerability and awarded <a href=\"https:\/\/oberig-it.com\/en\/solution_manf\/cymulate-en\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Cymulate<\/span><\/a> a $5,000 security bounty for responsible disclosure.<\/p>\n<p>Attackers can exploit the first attack vector by abusing Windows Admin Center\u2019s extension uninstallation process.<\/p>\n<p>The application searches the uninstall folder for PowerShell scripts and executes them with the AllSigned execution policy under elevated privileges.<\/p>\n<p>Since the parent directory remains writable by standard users, threat actors can place malicious signed PowerShell scripts in the uninstall folder.<\/p>\n<p>When the uninstall process is triggered through the user interface, the script executes with NETWORK SERVICE or SYSTEM privileges, granting complete administrative control.<\/p>\n<p>Researchers demonstrated this attack by creating a custom uninstall folder, placing a signed malicious script within it, and triggering the uninstall process via WAC\u2019s API.<\/p>\n<p>The payload executed successfully in an elevated context, confirming the severity of the vulnerability.<\/p>\n<p>The second attack vector targets the Windows Admin Center updater mechanism, which loads DLLs from C:\\ProgramData\\WindowsAdminCenter\\Updater, a directory writable by standard users.<\/p>\n<p>While the updater includes signature validation, researchers discovered a critical Time-of-Check Time-of-Use (TOCTOU) weakness that renders this protection ineffective.<\/p>\n<p>Attackers exploit this weakness by creating a PowerShell script that monitors the updater process, then immediately copies a <a href=\"https:\/\/cyberpress.org\/cybercriminals-use-microsoft-utility\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">malicious DLL<\/span><\/a> into the updater folder before signature validation occurs.<\/p>\n<p>This timing precision allows malicious code to execute without detection.<\/p>\n<p>Researchers confirmed the attack by creating a custom user32.dll that demonstrated code execution with SYSTEM privileges using only standard user permissions.<\/p>\n<p>Windows Admin Center is extensively deployed across enterprises globally, with IT administrators relying on WAC to manage servers, clusters, and hybrid cloud environments at scale.<\/p>\n<p>The vulnerability\u2019s broad impact affects organizations of all sizes, from small businesses to multinational corporations.<\/p>\n<p>Any attacker with local access to a Windows Admin Center gateway server can exploit this flaw to gain administrative privileges, potentially compromising entire infrastructure management systems and leading to widespread compromise across managed servers.<\/p>\n<p>Microsoft has released patches to address this vulnerability. Organizations must immediately update Windows Admin Center beyond version 2411 and conduct thorough reviews of their WAC deployments to identify potential exposure.<\/p>\n<p>Delaying remediation significantly increases the risk of unauthorized administrative access and infrastructure compromise.<\/p>\n<p>Source: <span style=\"color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/cyberpress.org\/windows-admin-center-vulnerability\/\" target=\"_blank\" rel=\"noopener\">Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have uncovered a critical vulnerability in Microsoft\u2019s Windows Admin Center (WAC) that enables standard users to escalate privileges to SYSTEM by exploiting insecure folder permissions and flawed update mechanisms. The flaw, tracked as CVE-2025-64669, affects all versions up to WAC 2411 and poses a significant threat to enterprise infrastructure management systems worldwide. The [&hellip;]<\/p>\n","protected":false},"author":850,"featured_media":20900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[142],"tags":[],"class_list":["post-20953","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u261d Oberig IT blog<\/title>\n<meta name=\"description\" content=\"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u261d Oberig IT blog\" \/>\n<meta property=\"og:description\" content=\"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta property=\"og:url\" content=\"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/\" \/>\n<meta property=\"og:site_name\" content=\"Oberig IT\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Oberig.disti\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-03T14:29:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T14:30:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2026\/02\/1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1875\" \/>\n\t<meta property=\"og:image:height\" content=\"625\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Albekova Paula\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Albekova Paula\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u261d Oberig IT blog","description":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u26a1 Oberig IT blog for integrator partners, vendors and end customers","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/","og_locale":"en_US","og_type":"article","og_title":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u261d Oberig IT blog","og_description":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u26a1 Oberig IT blog for integrator partners, vendors and end customers","og_url":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/","og_site_name":"Oberig IT","article_publisher":"https:\/\/www.facebook.com\/Oberig.disti","article_published_time":"2026-02-03T14:29:00+00:00","article_modified_time":"2026-02-27T14:30:49+00:00","og_image":[{"width":1875,"height":625,"url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2026\/02\/1.jpg","type":"image\/jpeg"}],"author":"Albekova Paula","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Albekova Paula","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#article","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/"},"author":{"name":"Albekova Paula","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/9d804f9c469169d256ca04bc0446793d"},"headline":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges","datePublished":"2026-02-03T14:29:00+00:00","dateModified":"2026-02-27T14:30:49+00:00","mainEntityOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/"},"wordCount":478,"commentCount":0,"publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2026\/02\/1.jpg","articleSection":["Articles"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/","url":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/","name":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u261d Oberig IT blog","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#primaryimage"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2026\/02\/1.jpg","datePublished":"2026-02-03T14:29:00+00:00","dateModified":"2026-02-27T14:30:49+00:00","description":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges \u26a1 Oberig IT blog for integrator partners, vendors and end customers","breadcrumb":{"@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#primaryimage","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2026\/02\/1.jpg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2026\/02\/1.jpg","width":1875,"height":625},{"@type":"BreadcrumbList","@id":"https:\/\/oberig-it.com\/en\/articles\/windows-admin-center-vulnerability-allows-attackers-to-escalate-privileges\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/oberig-it.com\/en\/"},{"@type":"ListItem","position":2,"name":"Windows Admin Center Vulnerability Allows Attackers to Escalate Privileges"}]},{"@type":"WebSite","@id":"https:\/\/oberig-it.com\/en\/#website","url":"https:\/\/oberig-it.com\/en\/","name":"Oberig IT","description":"Distribution of complex IT and information security solutions","publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/oberig-it.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/oberig-it.com\/en\/#organization","name":"Oberig IT","url":"https:\/\/oberig-it.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","caption":"Oberig IT"},"image":{"@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Oberig.disti"]},{"@type":"Person","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/9d804f9c469169d256ca04bc0446793d","name":"Albekova Paula","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/267b2447d88f2254471421efc84e51964ec66e50c0a67b40f9346d135523b971?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/267b2447d88f2254471421efc84e51964ec66e50c0a67b40f9346d135523b971?s=96&d=mm&r=g","caption":"Albekova Paula"},"sameAs":["https:\/\/oberig-it.com\/"]}]}},"_links":{"self":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/20953","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/users\/850"}],"replies":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/comments?post=20953"}],"version-history":[{"count":2,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/20953\/revisions"}],"predecessor-version":[{"id":20955,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/20953\/revisions\/20955"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media\/20900"}],"wp:attachment":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media?parent=20953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/categories?post=20953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/tags?post=20953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}