Local Privilege Escalation Vulnerabilities in Windows Management Tools
A critical vulnerability in the JumpCloud Remote Assist for Windows agent (CVE-2025-34352) allows a standard user on a company-managed device to gain full, persistent SYSTEM-level control. The flaw, discovered by XM Cyber, arises from the agent's uninstallation process, which performs privileged file operations in a user-controlled temporary folder. This enables local users to exploit the uninstall routine to overwrite or delete sensitive system files, resulting in either local privilege escalation or denial of service. Over 180,000 organizations using JumpCloud are potentially at risk until the issue is remediated.
Separately, Microsoft’s Windows Admin Center (WAC) is affected by a local privilege escalation vulnerability (CVE-2025-64669) due to insecure directory permissions on C:\ProgramData\WindowsAdminCenter. Standard users can write to this directory, which is also accessed by services running with elevated privileges, allowing attackers to exploit extension uninstall mechanisms or DLL hijacking to obtain SYSTEM-level access. Both vulnerabilities highlight the risks posed by improper privilege separation and insecure file system permissions in widely deployed Windows management tools.
Timeline
Dec 16, 2025
Windows Admin Center privilege escalation details become public
Public disclosure detailed CVE-2025-64669, a local privilege escalation vulnerability in Microsoft Windows Admin Center caused by writable privileged directories under C:\ProgramData\WindowsAdminCenter. Reporting also noted Cymulate had added validation coverage to help organizations test exposure.
Dec 16, 2025
JumpCloud Remote Assist flaw publicly disclosed
Public reporting described CVE-2025-34352 as a high-severity vulnerability affecting the JumpCloud Remote Assist for Windows agent used by more than 180,000 organizations. The bug was said to be immediately exploitable for persistent privileged access, prompting organizations to update immediately.
Dec 16, 2025
JumpCloud fixes Remote Assist Windows agent privilege escalation flaw
After security researcher Hillel Pinto of XM Cyber discovered CVE-2025-34352 in JumpCloud Remote Assist for Windows, JumpCloud released a fix in version 0.317.0 or later through a responsible disclosure process. The flaw could let a regular user escalate privileges to SYSTEM or cause denial of service via the agent's uninstaller behavior in user-controlled temporary folders.
Dec 10, 2025
Microsoft schedules fix for Windows Admin Center flaw in December Patch Tuesday
Microsoft confirmed CVE-2025-64669, rated it Important, and planned to release a fix in the December 10 Patch Tuesday update for affected Windows Admin Center versions. The issue affects versions up to 2.4.2.1 and environments running WAC 2411 and earlier.
Aug 5, 2025
Cymulate reports Windows Admin Center privilege escalation to Microsoft
Cymulate disclosed CVE-2025-64669 to Microsoft on 2025-08-05 after identifying local privilege escalation paths in Windows Admin Center involving insecure directory permissions, extension uninstall abuse, and updater DLL hijacking. Microsoft later awarded a bug bounty for the finding.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
Critical Privilege Escalation in Windows Admin Center (CVE-2026-26119)
Microsoft disclosed and patched a **critical elevation-of-privilege vulnerability** in *Windows Admin Center (WAC)* tracked as **CVE-2026-26119**. The issue is caused by **improper authentication** (`CWE-287`) and is rated **CVSS 8.8** with a network attack vector (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`). An attacker with **low/limited existing privileges** could exploit the flaw over the network to gain elevated privileges equivalent to the user context running WAC, which is particularly high impact given WAC’s role in centralized administration of Windows servers. Microsoft’s advisory indicates the vulnerability was newly published in its Security Update Guide and is addressed via an **official Windows Admin Center security update**; organizations are advised to apply the update promptly. Public reporting also notes Microsoft has **not observed active exploitation** at the time of disclosure, but assesses exploitation as **more likely** due to low attack complexity and typical enterprise exposure of WAC deployments; no public PoC was noted. Microsoft credited **Andrea Pierini (Semperis)** for responsible disclosure.
1 months ago
Windows Admin Center flaws exposed hybrid Azure and on-prem environments to takeover
Researchers disclosed multiple vulnerabilities in Microsoft **Windows Admin Center (WAC)** that could let attackers compromise hybrid environments spanning **Azure** and on-premises infrastructure. Cymulate said one exploit chain enabled **unauthenticated, one-click remote code execution** when a victim visited a malicious URL, combining response-based cross-site scripting, insecure redirect handling, and insecure credential storage to steal credentials, run arbitrary **PowerShell** commands, and capture Azure tokens. The issues affected both Azure-integrated and on-prem deployments, with the most severe risk falling on self-managed on-prem WAC instances that could be used to execute commands on managed servers and pivot into cloud resources. Additional flaws presented at Black Hat Asia were tracked as **`CVE-2025-64669`**, **`CVE-2026-20965`**, **`CVE-2026-23660`**, and **`CVE-2026-32196`**, including a non-write-protected on-prem WAC directory and weaknesses in proof-of-possession token validation that could allow token reuse or forgery and takeover of tenant VMs. Microsoft said Azure-managed instances received server-side fixes after responsible disclosure, and the company has patched the broader set of vulnerabilities with no evidence of active exploitation. Researchers urged organizations to update on-prem WAC immediately, remove outdated exposed instances, and treat both cloud and on-prem management planes as **tier-zero assets** because WAC can serve as a bidirectional path between the two environments.
1 weeks ago
Microsoft Discloses Elevation of Privilege Flaws in MMC, Partner Center, and Microsoft 365 Copilot
Microsoft published security advisories for three **elevation of privilege** vulnerabilities affecting **Microsoft Management Console**, **Microsoft Partner Center**, and **Microsoft 365 Copilot**. The issues are tracked as `CVE-2026-27914`, `CVE-2026-24303`, and `CVE-2026-33102`, respectively, and were added to the Microsoft Security Update Guide as separate product-specific flaws. The disclosures indicate that both on-premises administrative tooling and cloud-connected Microsoft services are affected by privilege-escalation weaknesses. While Microsoft did not provide public synopses in the referenced advisories, the listings identify the impacted products and classify each issue as an elevation of privilege vulnerability, signaling potential risk to administrators, partners, and enterprise users relying on those platforms.
1 weeks ago