🔑 IAM

Active Directory Privilege Escalation CVE-2026-25177 Added to CISA KEV — Domain Admin Risk via SPN Abuse

CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.

4 min read
#active-directory#privilege-escalation#cve-2026-25177#microsoft#kerberos#cisa-kev#patch-tuesday

The Vulnerability

CVE-2026-25177 is an elevation-of-privilege vulnerability in Windows Active Directory Domain Services that was patched as part of Microsoft’s March 2026 Patch Tuesday on 10 March. The vulnerability has now been added to CISA’s Known Exploited Vulnerabilities catalogue, confirming that threat actors have been exploiting it in the wild — approximately three weeks after patches became available.

The root cause is an improper restriction of resource names in the Active Directory service. Specifically, the flaw involves how Active Directory validates Service Principal Names (SPNs) and User Principal Names (UPNs) during Kerberos authentication and directory operations. Certain edge cases in name handling — including Unicode normalisation edge cases — allowed a low-privileged authenticated domain user to manipulate directory objects in ways that result in escalation to domain administrator privileges.

The CVSS score is 8.8, with the attack vector classified as network-accessible, requiring only low privilege and no user interaction. This combination — network reachable, low privilege, no interaction, high impact — is exactly the profile that makes Active Directory escalation vulnerabilities particularly attractive to attackers.

Why This Is Serious

Active Directory is the identity backbone of the overwhelming majority of enterprise Windows environments. Domain administrator access in an Active Directory environment is effectively full organisational compromise — it provides control over every domain-joined system, the ability to create and modify all user accounts, access to all group policies, and typically lateral access to connected cloud identity systems like Entra ID.

The three-week gap between patch availability and confirmed exploitation is consistent with the pattern seen with other high-value AD vulnerabilities. Attackers with initial access to a domain account — whether obtained through phishing, password spray, or credential theft — now have a reliable path to full domain ownership via a well-understood technique.

The SPN/UPN validation flaw is technically distinct from prior Active Directory escalation vulnerabilities like PrintNightmare or ZeroLogon, but the impact is equivalent: a single low-privileged account can become a domain administrator.

Affected Systems

The vulnerability affects a broad range of Windows versions including Windows 10 21H2 and later, Windows 11 (all supported releases), Windows Server 2012 R2, 2016, 2019, and 2022. Any domain controller running an unpatched version is exposed.

How Attackers Are Using It

In observed exploitation, the attack path typically begins with an attacker who already holds a valid but low-privileged domain account — a foothold commonly obtained through phishing or credential stuffing. The attacker creates a specially crafted SPN or UPN value that triggers the validation flaw on the domain controller, resulting in a privilege escalation that grants domain administrator rights.

Security researchers have noted the technique is not conceptually dissimilar to historical Kerberoasting and AS-REP roasting attacks — it leverages the same name service infrastructure — but does not require offline cracking of captured hashes. Exploitation is entirely online and leaves relatively limited event log artefacts depending on domain controller audit policy configuration.

  1. Verify that the March 2026 Patch Tuesday update is applied to all domain controllers. This is the single most important action — the patch from KB5053624 (and equivalent for your OS version) closes the vulnerability. Check compliance via WSUS, Intune, or your patch management tooling now.

  2. Audit for indicators of exploitation. Review Active Directory event logs for unusual object modifications, unexpected SPN/UPN changes, and privilege escalation events (Event IDs 4728, 4732, 4756, 4770). Focus on events since 10 March when the patch was first available and exploitation may have begun.

  3. Enforce multi-factor authentication on all privileged accounts. While MFA does not prevent this specific escalation (which happens within the directory layer rather than at authentication), it limits the attacker’s ability to use the resulting domain admin account from external access points.

  4. Review the principle of least privilege for all domain accounts. Accounts that do not require domain access should not be domain members. Each user account with unnecessary domain privileges is a potential exploitation starting point.

  5. Enable Advanced Audit Policy on domain controllers if not already configured — particularly ‘Audit Directory Service Changes’ and ‘Audit Kerberos Service Ticket Operations’. This will improve visibility into SPN/UPN manipulation attempts.