A high-severity vulnerability has been identified in multiple products from the vendor Improper, specifically within components related to Windows Admin Center. This flaw allows an authenticated but low-privileged user on a system to improperly gain full administrative control, which could lead to a complete compromise of the affected server.

The vulnerability is an improper access control flaw within the Windows Admin Center integration components. An attacker who has already gained authenticated access to a target system with standard user privileges can exploit this flaw. By manipulating specific files or services associated with the software that have misconfigured permissions, the attacker can execute arbitrary code with elevated privileges, such as those of the SYSTEM account. This bypasses standard security controls and grants the attacker full administrative control over the local machine.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected server. An attacker could escalate their privileges to the highest level (SYSTEM/Administrator), allowing them to steal sensitive data, install persistent malware or ransomware, disable security software, and use the compromised machine to launch further attacks against the internal network. This poses a significant risk to data confidentiality, integrity, and availability, potentially causing severe operational and financial damage.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected systems. After patching, it is crucial to monitor systems for any signs of exploitation attempts and review system and application access logs for unusual activity that may have occurred prior to the patch deployment.

Proactive Monitoring: Implement enhanced monitoring of endpoints running the affected software. Specifically, security teams should look for:

• Log Analysis: Scrutinize Windows Event Logs for unauthorized privilege escalation events (Event ID 4672), suspicious process creations originating from Windows Admin Center services, and unexpected modifications to system files or registry keys.
• File Integrity Monitoring: Monitor the installation directories of the affected products and Windows Admin Center for unauthorized changes to executables or configuration files.
• Endpoint Detection and Response (EDR): Ensure EDR solutions are configured to detect and alert on common privilege escalation techniques and subsequent lateral movement activities.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• Enforce Least Privilege: Ensure that users and service accounts operate with the minimum level of privilege necessary. Restrict interactive logon access to servers to only authorized administrators.
• Application Whitelisting: Use application control solutions like Windows Defender Application Control (WDAC) or AppLocker to prevent the execution of unauthorized executables in user-writable locations.
• Harden System Configurations: Review and harden permissions on the installation directories and service configurations related to Windows Admin Center and the affected products.

Public Exploit Available: false

Given the high severity (CVSS 7.8) of this local privilege escalation vulnerability, immediate action is required. Although this CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, the risk of a full system compromise is significant. Organizations are strongly advised to prioritize the deployment of the vendor-supplied security updates to all affected systems. If patching is delayed, the compensating controls outlined above should be implemented to mitigate the immediate risk. Continuous monitoring for indicators of compromise is essential both pre- and post-patching.