Hybrid Clouds Have Two Attack Surfaces – Monitor Both to Strengthen Security

Researchers from Cymulate have identified multiple security vulnerabilities in Microsoft’s Windows Admin Center that demonstrate how hybrid cloud environments create bidirectional attack surfaces requiring attention from both on-premises and cloud perspectives.

Speaking at the Black Hat Asia conference in Singapore on April 23, 2026, Ilan Kalendarov and Ben Zamir presented findings showing four specific CVEs affecting Windows Admin Center versions: 2025-64669, 2026-20965, 2026-23660, and 2026-32196. These flaws were reported to Microsoft and subsequently patched.

The vulnerabilities stem from insufficient security controls in how Windows Admin Center manages access tokens. Specifically, the directory housing the on-premises edition lacked proper write protection, potentially allowing attackers to deploy malicious software alongside the application.

Both cloud-hosted and on-premises versions rely on check-access tokens and proof of possession (POP) tokens for resource identification. However, virtual machines do not validate all fields in the POP token, creating opportunities for token reuse or forgery that could enable attackers to take control of tenant virtual machines managed through Windows Admin Center.

Resources managed by Microsoft Azure Arc are also exposed to these risks, according to the researchers. While none of the identified CVEs show signs of active exploitation in the wild, the highest severity flaw received a CVSS score of 7.8.

Kalendarov emphasized that hybrid cloud management represents an under-monitored attack surface, stating: “Your hybrid management plane is an attack surface you are not monitoring enough. You must look at both cloud and on-prem. Treat all systems as tier zero.”

The research highlights a critical security consideration for organizations operating hybrid cloud infrastructures: weaknesses in management tools can enable threats to traverse between environments in either direction. An compromise of on-premises Windows Admin Center could potentially target Azure resources, while vulnerabilities in the cloud-hosted version might threaten on-premises systems.

Microsoft has addressed the disclosed vulnerabilities through security patches following responsible disclosure by Cymulate. The findings serve as a reminder that effective hybrid cloud security requires monitoring and protection of management interfaces across both environments rather than focusing solely on workload protections.