Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
According to the CVSS metrics, successful exploitation of this vulnerability could lead to a minor loss of confidentiality (C:L), but major integrity (I:H), and availability (A:H). What does that mean for this vulnerability? Successful exploitation primarily allows a low-privileged attacker to perform unauthorized actions that affect the system’s integrity and availability. Specifically, the attacker could install an arbitrary available Windows Admin Center version from the update catalog, which can overwrite or alter the existing installation and disrupt normal operation. This is why integrity and availability are rated as high impact. The impact to confidentiality is considered limited because exploitation does not directly expose sensitive information. However, there is a potential for indirect confidentiality impact if the attacker installs a version that contains known information disclosure issues or weaker security protections. What privileges could be gained by an attacker who successfully exploited the vulnerability? An authenticated attacker with low privileges could gain the ability to perform actions that should require higher‑level permissions. Specifically, they could install an arbitrary available Windows Admin Center version from the update catalog. This includes reinstalling the current version, installing older versions, or installing any other available version that is not the latest—including versions that may contain known vulnerabilities. This effectively allows the attacker to make unauthorized changes to the software configuration beyond what their assigned access level is intended to permit. How could an attacker exploit this vulnerability? An authenticated attacker with low‑privileged access could exploit this vulnerability by sending a specially crafted request to the affected Windows Admin Center update API, allowing them to perform actions that their assigned permissions should not normally permit.
sho odagiri with <a href="https://gmo-cybersecurity.com/">GMO Cybersecurity by Ierae inc</a>