CVE-2025-64669

Name of the Vulnerable Software and Affected Versions Windows Admin Center versions prior to 2411 Windows Admin Center versions up to 2.4.2.1

Description An improper access control issue exists in Windows Admin Center, allowing an authorized attacker to elevate privileges locally. The issue stems from insecure directory permissions, specifically a writable C:ProgramDataWindowsAdminCenter directory used by high-privilege services. Two primary exploitation vectors were identified: Extension Uninstall Mechanism Abuse, involving the substitution of signed PowerShell scripts during extension uninstallation, and Updater DLL Hijacking, a TOCTOU (Time-of-Check to Time-of-Use) attack targeting the /api/update endpoint. The vulnerability allows low-privileged users to escalate to SYSTEM privileges.

Recommendations Update Windows Admin Center to version 2411 or later. For versions prior to 2411 that cannot be updated, change the Access Control List (ACL) on C:ProgramDataWindowsAdminCenter to prevent write access for regular users. Restrict access to the Extensions and Updater subfolders to SYSTEM and administrators only.