Hybrid Clouds Have Two Attack Surfaces and You’re Not Paying Enough Attention to Either

Hybrid cloud strategies promise flexibility, yet they also create a shared management plane that can become a single point of failure. The recent discovery of four CVEs in Microsoft’s Windows Admin Center underscores how tools designed to bridge on‑premises and cloud workloads can inadvertently open two-way pathways for attackers. By exploiting an unprotected directory on the on‑prem version and a weak validation of proof‑of‑possession tokens, threat actors could plant malware locally or hijack Azure virtual machines, blurring the traditional perimeter boundaries.

Technical analysis reveals that the vulnerabilities stem from inconsistent token handling and insufficient hardening of the on‑prem installation directory. The POP token, intended to verify resource ownership, was not fully validated, allowing reuse or forgery. This flaw enabled lateral movement from a compromised on‑prem WAC instance into Azure, and vice‑versa, putting workloads managed by Microsoft Arc at risk as well. Although the CVSS scores peaked at 7.8 and no active exploits have been observed, the patches released by Microsoft demonstrate the urgency of addressing hybrid‑cloud attack vectors before they are weaponized.

Enterprises must treat the hybrid management layer as a tier‑zero asset, implementing continuous monitoring, strict token lifecycle controls, and hardened configurations for both cloud‑hosted and on‑premises components. The incident also raises questions about the security posture of competing tools from vendors like Nutanix and VMware, which have yet to undergo similar scrutiny. Proactive assessments, regular patch cycles, and zero‑trust principles across the entire hybrid stack will be essential to prevent a single breach from igniting a broader compromise.