Outbreak Alert: Vulnerability in Active Directory Domain Services allows privilege escalation – CVE-2026-25177

The ICS Labs CTI has identified that a critical vulnerability has been disclosed in Microsoft Active Directory Domain Services (AD DS), identified as CVE-2026-25177, and patched by Microsoft in the March 2026 security update package.

The flaw has a CVSS score of 8.8, classifying it as high severity. The issue affects the validation mechanism for resource and file names in AD, allowing authorized network attackers to exploit inconsistencies in Unicode character handling to manipulate service identities within the domain.

The vulnerability impacts multiple Windows versions, including Windows 10, Windows 11, and Windows Server versions starting from 2012, potentially compromising corporate environments that rely heavily on centralized Kerberos-based authentication.

Threat Overview

The vulnerability arises from inadequate restriction in resource name validation (CWE‑641) within AD. An attacker can exploit this behavior to create Service Principal Names (SPNs) or User Principal Names (UPNs) that appear to be duplicates by using special invisible Unicode characters.

This method allows bypassing Active Directory’s duplicate-checking mechanisms. When a client requests Kerberos authentication for a service with a duplicated SPN, the domain controller may issue a ticket encrypted with the wrong key.

This behavior can lead to two primary scenarios:

• Denial of Service (DoS) on the target service, which will reject the invalid ticket.

• Fallback to NTLM authentication, if still enabled, significantly reducing the security of the environment.

To exploit the flaw, the attacker only needs standard permission to write or modify SPNs on a service, which may exist in permissive configurations or after initial credential compromise.

If successfully exploited, the vulnerability can result in privilege escalation to SYSTEM level, granting full control over the affected server and possible compromise of the entire domain.

At this time, no public exploits or known active attacks have been reported.

Recommended Actions

• Apply the March 2026 security updates provided by Microsoft on all affected systems.

• Review permissions of accounts that can modify SPNs or UPNs, ensuring that only administrators or strictly necessary accounts have such capabilities.

• Monitor logs and changes in Active Directory, especially events related to SPN creation or modification.

• Disable NTLM authentication whenever possible to prevent fallback in case of Kerberos failure.

• Validate the uniqueness of SPNs in the environment using administrative tools or auditing scripts.

Hardening and Protection Measures

• Implement continuous monitoring of Active Directory, including alerts for unusual changes in SPNs, UPNs, and critical account attributes.

• Adopt the principle of least privilege, restricting write permissions on AD objects to trusted administrative accounts only.

• Apply authentication hardening, prioritizing Kerberos and eliminating legacy protocols whenever possible.

• Integrate Active Directory logs into the SIEM to enable suspicious event correlation and early detection of lateral movement.

• Perform periodic AD configuration audits to identify excessive permissions or insecure configurations.

IOCs

Latest Updates

• March 2026: Microsoft officially releases a patch addressing 78 vulnerabilities.

• March 2026: Official disclosure of CVE‑2026‑25177, made as soon as the patch became available.