Black Hat Asia Israeli researchers found a series of flaws in Microsoft's Windows Admin Center (WAC) and suggest this shows hybrid cloud management tools are a two-way attack surface that users don't spend enough time worrying about. Speaking at the Black Hat Asia conference in Singapore today, Ilan Kalendarov and Ben Zamir of Cymulate delivered a talk titled "Breaking Hybrid Boundaries Across Azure and Windows" in which they detailed four CVEs they found and reported to Microsoft – 2025-64669 , 2026-20965 , 2026-23660 , and 2026-32196 – which has since fixed the flaws. All relate to WAC. Microsoft offers two versions of WAC – a cloudy version hosted in Azure and an on-prem edition. According to Kalendarov and Zamir, the directory the latter lives in was not write-protected, so an attacker could drop all sorts of nastyware alongside WAC.…