An “Important” security update released on March 10, 2026, addresses a high-severity flaw in Active Directory Domain Services (AD DS).
Tracked as CVE-2026-25177, this vulnerability has a CVSS score of 8.8. It allows authorized network attackers to elevate their privileges to full SYSTEM control.
This Elevation of Privilege flaw stems from an improper restriction on file and resource names (CWE-641).
The attack operates entirely over the network, requires minimal privileges, has low attack complexity, and requires no user interaction. It heavily impacts the confidentiality, integrity, and availability of the system.
Active Directory Domain Services Vulnerability
The exploit occurs when an attacker uses specially crafted Unicode characters to create duplicate Service Principal Names (SPNs) or User Principal Names (UPNs).
These hidden characters successfully bypass normal Active Directory security checks meant to stop duplicates. To launch the attack, a hacker only needs standard permission to write or modify SPNs on an account.
When clients request Kerberos authentication for a targeted service with a duplicate SPN, the domain controller mistakenly issues a ticket encrypted with the wrong key.
The target service then rejects the ticket, causing a denial-of-service (DoS) attack or forcing the network to fall back to older, less secure NTLM authentication if it is still enabled.
No direct access to the targeted server is required beyond the initial SPN-write permission.
A successful exploit grants the attacker full SYSTEM privileges, letting them take complete control of the server and the broader domain environment.
Fortunately, Microsoft currently assesses the exploitability as “Less Likely,” with no public exploit code or active attacks in the wild at the time of publication.
Microsoft and Semperis coordinated to release official security updates to address this flaw. Network administrators must immediately apply these patches to secure their environments.
The updates cover a wide range of operating systems, including Windows 10, Windows 11, and Windows Server editions spanning from 2012 to the latest 2025 releases.
Monitoring Active Directory environments for unusual SPN modifications can also serve as a helpful proactive defense measure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
