Hello everyone, I would like to alert you to the following vulnerability in Active Directory.
On March 10, 2026, Microsoft disclosed a new security vulnerability affecting Active Directory Domain Services (AD DS). The flaw, identified as CVE‑2026‑25177, allows an authenticated attacker to gain privilege escalation over the network, potentially reaching SYSTEM‑level privileges, the highest level in Windows environments.
Microsoft classified the vulnerability as Important, assigning it a CVSS 3.1 score of 8.8, indicating a high-risk issue—especially for enterprise environments where Active Directory is the core identity and authentication infrastructure.
Technically, the vulnerability is linked to CWE‑641: Improper Restriction of Names for Files and Other Resources. The issue stems from insufficient validation of names for certain resources inside Active Directory. Specifically, it affects Service Principal Names (SPN) and User Principal Names (UPN), which are critical for Kerberos authentication.
Microsoft explains that an attacker with limited privileges but authorized to modify SPNs on an account can exploit specially crafted Unicode characters to bypass internal controls designed to prevent duplicate name creation in Active Directory.
Microsoft stated at publication time that the vulnerability had not been publicly disclosed before the patch and that no active exploits are known to exist in the wild.
The issue can allow the creation of duplicate SPNs that bypass standard Active Directory validation checks. The attack works by inserting carefully crafted Unicode characters into an SPN or UPN to generate what appears to be a legitimate duplicate of an existing service name. When a client requests Kerberos authentication for that service, the Domain Controller may issue a ticket encrypted with the wrong key, causing the target service to reject it.
This behavior can lead to operational issues:
- in some cases, the service may experience a denial of service due to invalid Kerberos tickets;
- in other scenarios, the system may fall back to NTLM authentication, which still exists in many legacy environments and could open the door to additional attack techniques that rely on NTLM.
Regards
