A significant local privilege escalation vulnerability has been uncovered within Microsoft’s Windows Admin Center (WAC), posing a direct threat to the integrity of systems managed by this crucial tool. Tracked as CVE-2025-64669, this flaw could allow a standard user to gain elevated privileges, potentially leading to full system compromise. For IT professionals, security analysts, and developers relying on Windows Admin Center, understanding this vulnerability and implementing timely remediation is paramount.

Understanding CVE-2025-64669: The Windows Admin Center Privilege Escalation

The core of CVE-2025-64669 lies in insecure directory permissions affecting the critical C:\ProgramData\WindowsAdminCenter folder. This directory, which is part of the default installation path for WAC, is configured such that standard users have write access. This permission configuration is problematic because services associated with Windows Admin Center often run with elevated privileges (e.g., as SYSTEM or Administrator).

An attacker can leverage these weak permissions by manipulating files within this writable directory. By placing malicious executables or scripts in a location that a highly privileged service will subsequently access and execute, a standard user can effectively trick the system into running their code with elevated rights. This “privilege escalation” bypasses security controls and grants the attacker broad control over the compromised machine.

This vulnerability impacts Windows Admin Center versions up to and including 2.4.2.1, and specifically environments running WAC 2411 and earlier builds. Organizations utilizing these affected versions are at risk and must prioritize immediate action.

Impact of Local Privilege Escalation

A successful local privilege escalation attack can have severe consequences:

• Full System Control: Attackers can gain administrative or SYSTEM-level control over the server hosting WAC, allowing them to install malware, modify system configurations, or create new privileged user accounts.
• Data Exfiltration: With elevated privileges, sensitive data stored on the system or accessible through its network connections can be stolen.
• Lateral Movement: A compromised WAC instance can serve as a launchpad for attacks against other systems managed by Windows Admin Center, expanding the breach.
• Disruption of Services: Attackers could tamper with WAC’s functionality or other critical system services, leading to operational downtime or data corruption.

Remediation Actions

Addressing CVE-2025-64669 requires immediate attention. Organizations should implement the following steps:

• Update Windows Admin Center: The most crucial step is to upgrade your Windows Admin Center installation to a patched version as soon as it becomes available from Microsoft. Monitor official Microsoft security advisories for release details.
• Review Directory Permissions: While awaiting an official patch, review the permissions on the C:\ProgramData\WindowsAdminCenter directory. Ensure that only necessary administrative accounts and the SYSTEM account have write access. Standard users should have read-only or no access. Exercise caution when modifying system directory permissions, and test changes in a controlled environment first.
• Least Privilege Principle: Reiterate and enforce the principle of least privilege across your IT environment. Ensure that users and services operate with the minimum necessary permissions to perform their functions.
• Regular Security Audits: Conduct routine security audits of your systems, including permission checks on critical directories and software installations, to identify and rectify misconfigurations.
• Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for suspicious activity, including attempts at privilege escalation or unauthorized file modifications.

Detection and Mitigation Tools

While an official patch is the primary solution, various tools can aid in detecting potential exploitation attempts or auditing for similar vulnerabilities.

Tool Name	Purpose	Link
Sysinternals Process Monitor	Real-time file system, Registry, and process/thread activity monitoring. Can detect suspicious file writes.	https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
AccessEnum	Audits directory, file, and Registry permissions to identify weak ACLs.	https://learn.microsoft.com/en-us/sysinternals/downloads/accessenum
PowerShell (Get-Acl)	Built-in command-line tool for inspecting and modifying file and directory permissions.	https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl
Vulnerability Scanners (e.g., Nessus, Qualys)	Automated scanning for known vulnerabilities and misconfigurations. Ensure vulnerability definitions are up-to-date.	https://www.tenable.com/products/nessus

Conclusion

The discovery of CVE-2025-64669 in Windows Admin Center serves as a critical reminder of the ongoing need for vigilance in cybersecurity. Weak directory permissions represent a common attack vector for privilege escalation. Organizations should prioritize updating their WAC installations, conduct thorough permission audits, and reinforce least privilege principles to protect against this and similar threats. Proactive security measures are essential for maintaining the integrity of critical IT infrastructure.