CVE-2025-64669 Overview
CVE-2025-64669 is an improper access control vulnerability in Microsoft Windows Admin Center. An authenticated local attacker can exploit the flaw to elevate privileges on an affected host. The weakness is categorized under [CWE-284] (Improper Access Control) and carries a CVSS 3.1 base score of 7.8.
Exploitation requires local access and low privileges, with no user interaction. Successful attacks compromise confidentiality, integrity, and availability of the targeted system. Microsoft published guidance through the Microsoft Security Response Center advisory.
Critical Impact
A low-privileged local user can elevate to higher privileges on systems running Windows Admin Center, gaining full control over the management surface and downstream managed resources.
Affected Products
- Microsoft Windows Admin Center
- Deployments where Windows Admin Center is installed on Windows Server hosts
- Workstation installations using Windows Admin Center for remote server management
Discovery Timeline
- 2025-12-11 - CVE-2025-64669 published to the National Vulnerability Database
- 2025-12-12 - Last updated in NVD database
Technical Details for CVE-2025-64669
Vulnerability Analysis
The vulnerability stems from improper access control within Windows Admin Center. Windows Admin Center is a browser-based management tool that runs with elevated privileges to administer Windows Server and Windows client systems. When access control checks fail to enforce the intended privilege boundary, a low-privileged authenticated user can perform actions reserved for administrators.
The issue is locally exploitable, meaning the attacker must already have a valid session or local foothold on the host running Windows Admin Center. Network-based exploitation is not required. The attack complexity is low, indicating reliable exploitation once preconditions are met.
The Exploit Prediction Scoring System places this CVE in the lower probability range for near-term exploitation, but the high impact rating warrants prioritized remediation on management infrastructure.
Root Cause
The root cause is improper enforcement of access control checks ([CWE-284]) within Windows Admin Center. Functions or interfaces intended for privileged users are reachable from a lower privilege context. This allows an authorized but unprivileged user to invoke operations that should be restricted.
Attack Vector
The attack vector is local. An attacker who has authenticated to a system hosting Windows Admin Center invokes the affected component to perform privileged operations. Because Windows Admin Center is commonly deployed on jump hosts and management servers, a successful escalation provides administrative control over the management plane.
No public proof-of-concept code is available at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details are described in the Microsoft Security Advisory CVE-2025-64669.
Detection Methods for CVE-2025-64669
Indicators of Compromise
- Unexpected privileged operations performed through Windows Admin Center by accounts that lack administrative roles
- New local administrator accounts or group membership changes originating from the Windows Admin Center service host
- Process creation events under the Windows Admin Center service context spawning command shells or scripting engines
Detection Strategies
- Audit Windows Admin Center activity logs for privilege-sensitive actions tied to non-administrative principals
- Correlate Windows Security Event ID 4672 (special privileges assigned) and 4732 (member added to security-enabled local group) with sessions originating from the Windows Admin Center process
- Baseline normal administrative behavior on management hosts and alert on deviations such as off-hours configuration changes
Monitoring Recommendations
- Forward Windows Admin Center and Windows Security event logs to a centralized analytics platform for retention and search
- Monitor authentication events to the Windows Admin Center gateway and flag low-privileged accounts that interact with privileged modules
- Track patch state of Windows Admin Center across the fleet and alert on unpatched hosts performing administrative actions
How to Mitigate CVE-2025-64669
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Advisory CVE-2025-64669 on all hosts running Windows Admin Center
- Inventory all systems with Windows Admin Center installed and prioritize patching of internet-adjacent and shared management hosts
- Restrict local logon rights on Windows Admin Center hosts to a minimal set of administrators
Patch Information
Microsoft has issued a fixed version through the standard update channel. Refer to the Microsoft Security Advisory CVE-2025-64669 for the specific build numbers and update package applicable to your deployment.
Workarounds
- Limit interactive and remote desktop access to Windows Admin Center hosts using Group Policy and just-in-time access controls
- Place Windows Admin Center on dedicated privileged access workstations or jump servers isolated from general user workloads
- Enforce multi-factor authentication and conditional access for accounts permitted to authenticate to the Windows Admin Center gateway
# Configuration example: restrict local logon to a defined admin group via secedit
secedit /export /cfg current.inf
# Edit current.inf to set SeInteractiveLogonRight to the approved admin group SID only
secedit /configure /db secedit.sdb /cfg current.inf /overwrite
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
