Researchers disclosed multiple vulnerabilities in Microsoft Windows Admin Center (WAC) that could let attackers compromise hybrid environments spanning Azure and on-premises infrastructure. Cymulate said one exploit chain enabled unauthenticated, one-click remote code execution when a victim visited a malicious URL, combining response-based cross-site scripting, insecure redirect handling, and insecure credential storage to steal credentials, run arbitrary PowerShell commands, and capture Azure tokens. The issues affected both Azure-integrated and on-prem deployments, with the most severe risk falling on self-managed on-prem WAC instances that could be used to execute commands on managed servers and pivot into cloud resources.
Additional flaws presented at Black Hat Asia were tracked as CVE-2025-64669, CVE-2026-20965, CVE-2026-23660, and CVE-2026-32196, including a non-write-protected on-prem WAC directory and weaknesses in proof-of-possession token validation that could allow token reuse or forgery and takeover of tenant VMs. Microsoft said Azure-managed instances received server-side fixes after responsible disclosure, and the company has patched the broader set of vulnerabilities with no evidence of active exploitation. Researchers urged organizations to update on-prem WAC immediately, remove outdated exposed instances, and treat both cloud and on-prem management planes as tier-zero assets because WAC can serve as a bidirectional path between the two environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
At Black Hat Asia, Cymulate researchers publicly disclosed the Windows Admin Center vulnerabilities and described how they could enable one-click unauthenticated RCE, credential theft, token abuse, and movement between on-premises and Azure environments. They warned that on-premises deployments were especially exposed and urged organizations to update and verify no outdated instances remained accessible.
Microsoft patched four vulnerabilities affecting Windows Admin Center in hybrid Azure and on-premises environments, including CVE-2025-64669, CVE-2026-20965, CVE-2026-23660, and CVE-2026-32196. Reporting states there was no indication of active exploitation at the time of disclosure.
After the responsible disclosure, Microsoft deployed server-side mitigations for Azure-managed Windows Admin Center instances, automatically protecting cloud customers. The fixes addressed the Azure side of the disclosed attack chain.
Cymulate Research Labs reported a critical Windows Admin Center vulnerability chain to Microsoft under responsible disclosure. The disclosure date is explicitly given as August 22, 2025.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.