Black Hat Asia Israeli researchers found a series of flaws in Microsoft’s Windows Admin Center (WAC) and suggest this shows hybrid cloud management tools are a two-way attack surface that users don’t spend enough time worrying about.
Speaking at the Black Hat Asia conference in Singapore today, Ilan Kalendarov and Ben Zamir of Cymulate delivered a talk titled “Breaking Hybrid Boundaries Across Azure and Windows” in which they detailed four CVEs they found and reported to Microsoft – 2025-64669, 2026-20965, 2026-23660, and 2026-32196 – which has since fixed the flaws.
All relate to WAC.
Microsoft offers two versions of WAC – a cloudy version hosted in Azure and an on-prem edition. According to Kalendarov and Zamir, the directory the latter lives in was not write-protected, so an attacker could drop all sorts of nastyware alongside WAC.
Both versions of WAC also rely on a check-access token and a proof of possession (POP) token to identify resources they manage, but VMs don’t validate all the fields in the POP token. The researchers also found the POP token can be re-used or forged, allowing attackers to take over a tenant VM managed under WAC. Resources managed by Microsoft Arc are also at risk.
There’s no sign any of the CVEs the researchers found are under active exploit; the worst of them rated a 7.8 CVSS score. Cymulate disclosed its findings responsibly and Microsoft published patches, so these aren’t terrifying flaws.
But Kalendarov and Zamir think their findings should worry organizations that run hybrid clouds, because the flaws they discovered mean an attacker could use on-prem WAC to attack Azure, and cloudy WAC to attack on-prem resources.
The pair opened their talk with the “This is fine” meme that shows a dog ignoring a decidedly threatening fire.
The researchers suggested hybrid clouds may well be on fire, too, and that users aren’t sufficiently worried about that.
“Your hybrid management plane is an attack surface you are not monitoring enough,” Kalendarov said. “You must look at both cloud and on-prem. Treat all systems as tier zero.”
And if you are worried about the attacks made possible by the CVEs Cymulate spotted, look out for identities you set up to operate cloudy resources accessing on-prem systems instead, and vice versa.
The Register asked the duo if they’ve looked at other common hybrid cloud management tools, such as those from Nutanix and VMware. They told us they researched WAC due to its large user population, but expressed interest in probing other hybrid cloud tools. ®