Local Privilege Escalation Vulnerabilities in Windows Management Tools
A critical vulnerability in the JumpCloud Remote Assist for Windows agent (CVE-2025-34352) allows a standard user on a company-managed device to gain full, persistent SYSTEM-level control. The flaw, discovered by XM Cyber, arises from the agent's uninstallation process, which performs privileged file operations in a user-controlled temporary folder. This enables local users to exploit the uninstall routine to overwrite or delete sensitive system files, resulting in either local privilege escalation or denial of service. Over 180,000 organizations using JumpCloud are potentially at risk until the issue is remediated.
Separately, Microsoft’s Windows Admin Center (WAC) is affected by a local privilege escalation vulnerability (CVE-2025-64669) due to insecure directory permissions on C:\ProgramData\WindowsAdminCenter. Standard users can write to this directory, which is also accessed by services running with elevated privileges, allowing attackers to exploit extension uninstall mechanisms or DLL hijacking to obtain SYSTEM-level access. Both vulnerabilities highlight the risks posed by improper privilege separation and insecure file system permissions in widely deployed Windows management tools.
Related Entities
Vulnerabilities
Sources
Related Stories
Critical Privilege Escalation in Windows Admin Center (CVE-2026-26119)
Microsoft disclosed and patched a **critical elevation-of-privilege vulnerability** in *Windows Admin Center (WAC)* tracked as **CVE-2026-26119**. The issue is caused by **improper authentication** (`CWE-287`) and is rated **CVSS 8.8** with a network attack vector (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`). An attacker with **low/limited existing privileges** could exploit the flaw over the network to gain elevated privileges equivalent to the user context running WAC, which is particularly high impact given WAC’s role in centralized administration of Windows servers. Microsoft’s advisory indicates the vulnerability was newly published in its Security Update Guide and is addressed via an **official Windows Admin Center security update**; organizations are advised to apply the update promptly. Public reporting also notes Microsoft has **not observed active exploitation** at the time of disclosure, but assesses exploitation as **more likely** due to low attack complexity and typical enterprise exposure of WAC deployments; no public PoC was noted. Microsoft credited **Andrea Pierini (Semperis)** for responsible disclosure.
3 weeks ago
Local Privilege Escalation Flaws in Enterprise VPN/SASE Windows Clients
Two separate local privilege-escalation issues were disclosed in widely deployed Windows remote-access clients. WatchGuard published an advisory for **NCP IPSec VPN Client** as shipped with *WatchGuard Mobile VPN with IPSec* for Windows, where installation/update/uninstall actions can briefly open interactive `cmd.exe` windows running as **SYSTEM**; on older Windows versions, an attacker with local access can execute commands in that prompt to gain **SYSTEM** privileges and bypass administrative protections. WatchGuard states the issue affects versions up to **15.19** and is fixed in **15.33** (advisory **WGSA-2026-00002**, tracked as **NCPVE-2025-0626**). Separately, reporting described a privilege-escalation weakness in **Check Point Harmony SASE (Perimeter81) Windows client** tracked as **CVE-2025-9142**, affecting versions **below 12.2**. The issue is attributed to insufficient validation of **JWT** values passed via a URI handler (`perimeter81://`) to a SYSTEM-privileged service component (`Perimeter81.Service.exe`), enabling directory traversal (e.g., `../../../`) and file write/delete outside the intended certificate working directory; the described attack chain includes crafting a malicious URL, abusing a whitelisted auth domain, and using symlink/object-manager tricks to redirect certificate writes performed with SYSTEM privileges, potentially leading to full local compromise.
1 months agoRemote Code Execution Vulnerabilities in Microsoft Update Services Exploited
A critical remote code execution (RCE) vulnerability was discovered in Microsoft's Update Health Tools (KB4023057), a utility designed to facilitate rapid security updates via Intune. Researchers found that a misconfiguration involving abandoned Azure blob storage allowed attackers to register a storage account and receive requests from vulnerable devices worldwide, enabling arbitrary code execution. Microsoft has since responded to the disclosure, and newer versions of the tool have addressed the issue, but devices running the original version remain at risk if not updated. Separately, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was actively exploited by threat actors to deploy the ShadowPad backdoor malware. Attackers leveraged this flaw to gain system-level access using PowerCat and subsequently installed ShadowPad via `certutil` and `curl`. The exploitation of these vulnerabilities highlights the risks associated with update management tools and the importance of timely patching and secure configuration to prevent compromise by advanced persistent threats.
3 months ago