A sophisticated privilege escalation vulnerability in Windows SMB servers, leveraging Ghost Service Principal Names (SPNs) and Kerberos authentication reflection to achieve remote SYSTEM-level access.
Microsoft designated this as CVE-2025-58726, an “SMB Server Elevation of Privilege” flaw impacting all Windows versions absent enforced SMB signing.
According to Semperis, the issue persists in environments with default Active Directory (AD) configurations, underscoring Kerberos’ susceptibility to reflection despite mitigations for related flaws like CVE-2025-33073.
Disclosed to the Microsoft Security Response Center (MSRC) on June 25, 2025, and confirmed as “Important” severity by July 22, CVE-2025-58726 exploits the interplay between unresolved SPNs and permissive DNS registration.
Domain users, by default, hold write access to DNS zones, enabling attackers to hijack ghost SPNs entries referencing non-resolvable hostnames from legacy systems, deployment errors, or hybrid setups.
This facilitates Kerberos ticket relaying, bypassing credential requirements and granting administrative control, with escalation to domain dominance if Tier 0 assets like AD Certificate Services are compromised.
Kerberos Reflection Mechanics And Ghost SPN Exploitation
Kerberos authentication, integral to Windows domains, employs asymmetric tickets for secure service access but lacks inherent reflection safeguards, unlike NTLM’s channel-binding mitigations.
Authentication reflection entails capturing a victim’s Kerberos AP-REQ (Application Request) and replaying it to the victim’s own endpoint, coercing self-authentication.
In CVE-2025-58726, ghost SPNs (prefixed with HOST/ or CIFS/) on target computer accounts serve as the pivot.
Prerequisites include low-privilege domain access, a domain-joined target without SMB signing (allowing unsigned Negotiate/Kerberos blobs), and a ghost SPN, Semperis added.
Attackers query AD for SPNs via LDAP, identify unresolved ones (e.g., via nslookup failures), and register a DNS A-record mapping the ghost hostname to their controlled IP, exploiting domain users’ default dnsHost permissions.
Coercion follows: tools like PrinterBug (MS-RPRN coercion) or PetitPotam (MS-EFSRPC) trigger the target’s machine account to request a TGS (Ticket Granting Service) ticket for the ghost SPN cifs/ghost@domain.
The KDC issues this ticket, bound to the target’s computer account (mapped to SYSTEM in LSASS).
A relay tool, such as KrbRelayEx, intercepts the AP-REQ during SMB session setup (SMB2 Negotiate and Session Setup phases), extracts the Kerberos token via SSPI, and relays it to the target’s SMB server.
The relayed token impersonates the machine account, enabling SMB commands like Tree Connect and NTCreateAndX for arbitrary execution.
Network traces reveal the TGS-REQ for cifs/ghost, with the target computer as the sname, confirming reflection.
This vector evades CVE-2025-33073’s SMB client fix, which addressed CredMarshal-based relaying; here, the flaw resides in Kerberos’ failure to validate SPN-to-hostname binding against DNS resolution, extending to protocols like WMI (RPC/DCOM) or RDP if SPNs permit.
Mitigations
Microsoft’s remediation targets the srv2.sys driver, governing SMB 2.0+ server logic.
In Smb2ExecuteSessionSetupReal(), the update integrates Feature_3857492281__private_IsEnabledDeviceUsage(), invoking SrvAdminValidateSpn_Old() to verify SPN legitimacy against local security contexts.
For valid local SPNs, Smb2ValidateLoopbackAddress() assesses the source IP; remote (non-127.0.0.1) connections yield a negative return, terminating the session pre-token impersonation.
This blocks the reflection loop without altering core Kerberos flows. However, residual risks linger for unpatched or multi-protocol setups.
Mitigate by enforcing SMB signing via Group Policy (RequireSecuritySignature=1 on clients/servers), auditing SPNs with tools like TestComputerSpnDNS to enumerate and purge ghosts (setspn -D), and revoking domain users’ DNS write ACLs (via dnscmd /config).
Deploy Kerberos monitoring for anomalous TGS-REQs (e.g., via ETW or Wireshark filters on port 88), and neutralize coercion via RPC restrictions (e.g., DisableUnencryptedRpc=1) and service hardening.
The October 14 patch rollout emphasizes proactive AD hygiene: ghost SPNs proliferate in 70% of audited environments per industry reports.
As attackers refine relay chains, integrating these controls fortifies against evolving Kerberos abuses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
