Researchers from Cymulate presented at Black Hat Asia, revealing four CVEs in Microsoft's Windows Admin Center (WAC) that expose hybrid cloud environments to bidirectional attacks. Flaws include an unprotected installation directory in the on-prem WAC version and weaknesses in proof-of-possession (POP) token validation, allowing token reuse or forgery to compromise tenant VMs. Microsoft has patched all four CVEs (max CVSS 7.8). The key takeaway: hybrid cloud management planes are undermonitored attack surfaces, and organizations should treat both cloud and on-prem systems as tier-zero assets, monitoring for cross-environment identity misuse.
Sort: