CVE-2025-64669

Name of the Vulnerable Software and Affected Versions Windows Admin Center versions prior to 2.4.2.1 Windows Admin Center versions prior to 2411

Description An improper access control issue exists in Windows Admin Center. This allows an authorized attacker to elevate privileges locally, potentially gaining SYSTEM-level access. The issue stems from insecure directory permissions, specifically a writable C:ProgramDataWindowsAdminCenter directory used by high-privilege services. Two primary exploitation vectors were identified: abuse of the extension uninstall mechanism through signed PowerShell script substitution in the C:ProgramDataWindowsAdminCenterExtensionsuninstall directory, and a Time-of-Check-to-Time-of-Use (TOCTOU) attack involving DLL hijacking in the C:ProgramDataWindowsAdminCenterUpdater directory via Windows Management Instrumentation (WMI) event monitoring of the WindowsAdminCenterUpdater.exe process, specifically targeting the

/api/update

endpoint.

Recommendations Update Windows Admin Center to a version greater than 2.4.2.1. Update Windows Admin Center to version 2411 or later. As an additional measure, or if updating is not possible, modify the Access Control List (ACL) on C:ProgramDataWindowsAdminCenter to deny write access for regular users. Restrict access to the Extensions and Updater subfolders to SYSTEM and administrators only. As a temporary workaround, consider disabling the extension uninstall functionality until a patch is available. As a temporary workaround, restrict access to the

/api/update

endpoint until a patch is available.