Windows Admin Center Flaw (CVE-2025-64669): How a Simple Folder Permission Opened the Door to SYSTEM Access

A high-severity security oversight in Microsoft’s Windows Admin Center (WAC) has been unearthed, revealing how a basic permission error could allow any standard user to seize complete control of a server. A new report from Cymulate Research Labs details the discovery of CVE-2025-64669 (CVSS 7.8), a Local Privilege Escalation (LPE) vulnerability that affects widely used versions of the infrastructure management tool.

The flaw, which Microsoft has since acknowledged and patched, turns a routine administrative utility into a potential weapon for attackers already inside a network.

The vulnerability stems from a surprisingly simple configuration error: a critical system folder was left unlocked. Researchers discovered that the directory C:\ProgramData\WindowsAdminCenter was configured to be writable by all standard users.

“The root cause lies in insecure directory permissions where the C:\ProgramData\WindowsAdminCenter folder is writable by all standard users,” the report states.

This oversight meant that any low-privileged user on the system could tamper with files used by the Admin Center’s most powerful processes. “Standard users with access to the underlying filesystem can leverage this misconfiguration to escalate privileges”.

While finding a writable folder is one thing, weaponizing it is another. The researchers identified two distinct paths to exploit this flaw, but the most ingenious method involved tricking the WAC’s own updater.

The team found that they could perform a “DLL Hijacking” attack against the WindowsAdminCenterUpdater.exe process. However, the updater had a defense mechanism: it validated digital signatures before loading files.

“We almost gave up but then noticed something interesting,” the researchers wrote. They realized the validation process had a tiny window of vulnerability—a classic “Time-of-Check Time-of-Use” (TOCTOU) flaw. “The validation process happens inside the WindowsAdminCenter process itself, and after it finishes, it calls and opens WindowsAdminCenterUpdater.exe”.

By writing a script to race against the system, they were able to swap a legitimate file with a malicious one after the check was complete but before the updater ran.

“This worked flawlessly. The DLL executed with SYSTEM privileges,” the report confirms.

By chaining these techniques, an attacker with basic access could elevate themselves to SYSTEM—the highest level of privilege on a Windows machine.

“Both vectors enable escalation from a low-privileged user to SYSTEM, effectively breaking the Windows security boundary,” the report concludes.

Microsoft has assigned the issue CVE-2025-64669 and awarded the Cymulate team a $5,000 bounty for their findings. Administrators using Windows Admin Center are urged to update to version 2411 or later immediately to close this critical gap.

Related Posts:

• Windows Update Flaw: SYSTEM Privilege Escalation Via Arbitrary Folder Deletion, PoC Available!
• Stealth Cryptominer Uses USB LNK and DLL Side-Loading to Deploy “Smart Mining” Evasion
• Microsoft’s Patch for Symlink Exploit Introduces New Windows Update DoS Flaw
• From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape