Analysis Summary

A critical spoofing vulnerability, tracked as CVE-2025-26685, affects Microsoft Defender for Identity (MDI) and allows unauthenticated attackers to escalate privileges in Active Directory environments. The flaw targets the Lateral Movement Paths (LMPs) feature in the MDI sensor, installed on Domain Controllers, which uses a Directory Service Account (DSA) to map lateral movement by querying systems via the SAM-R protocol. An attacker on the local network can manipulate the MDI sensor into authenticating with their system, capturing the DSA’s Net-NTLM hash via a forced downgrade from Kerberos to NTLM.

For the exploit to succeed, two key conditions must be met: the attacker’s machine must have a registered DNS record, something that naturally occurs in environments using Windows DHCP with Active Directory, and the attacker must trigger an anonymous connection, generating a specific Windows Event ID. This is achieved through Null Session SMB commands, such as rpcclient -U “” -N [DC-IP] or net use \\[DC IP]\ipc$ "" /user:"" on Linux or Windows, respectively. These commands provoke the MDI sensor to authenticate to the attacker’s system, believing it to be a legitimate endpoint.

Once the Net-NTLM hash of the DSA is obtained, attackers can crack the password offline using tools like Hashcat or leverage relay attacks to escalate privileges. A notable example includes combining this with the ESC8 vulnerability in Active Directory Certificate Services (ADCS), where the attacker can use Certipy (certipy relay -target 'http://[ADCS-CA]') to enroll certificates as the DSA and retrieve TGTs and NT hashes, leading to extensive domain reconnaissance. Despite being low-privilege, the DSA account grants read access to all AD objects and Local Administrator group info, increasing the attack surface dramatically.

Mitigation includes migrating to the unified XDR sensor (version 3.x), which is not vulnerable as it uses a different detection model. Microsoft will also update the classic MDI sensor to replace SAM-R queries with Kerberos-authenticated WMI queries. Additional hardening measures include converting the DSA to a Group Managed Service Account (gMSA) to reduce the risk of password cracking, and optionally disabling LMP collection entirely via Microsoft support. For detection, defenders should monitor DSA authentication from non-DC IPs, LDAP requests for pKIEnrollmentService, and Event ID 4887 for suspicious certificate issuance.

Impact

• Sensitive Data Theft
• Privilege Escalation
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-26685

Affected Vendors

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• The new sensor architecture does not use the vulnerable LMP feature and is immune to this attack.
• Microsoft will issue updates that replace SAM-R queries with WMI queries enforced with Kerberos-only authentication.
• This limits the impact of password cracking by rotating and securely managing credentials automatically.
• You can request complete disabling of LMP data collection from Microsoft support to eliminate the attack vector entirely.
• Detect authentication attempts from non-Domain Controller IP addresses, as DSA should only authenticate from Domain Controllers.
• Look for requests with (objectCategory=pKIEnrollmentService), which may indicate certificate abuse attempts.
• This can help detect suspicious certificate issuance activities, especially in ADCS relay attack scenarios.
• Prevent attackers from establishing null sessions that trigger the MDI sensor behavior.