Two more identity vulnerabilities patched this week. CVE-2026-24297, a Kerberos RC4-HMAC security feature bypass, allows an attacker to forge authentication tokens under conditions that are more common than Microsoft’s advisory language implies. CVE-2026-25177, an Active Directory privilege escalation, allows a domain-authenticated attacker to elevate to domain administrator under specific but not exotic conditions.
Neither vulnerability is novel in concept. Kerberos weaknesses, AD privilege escalation paths, and domain controller compromise techniques have been the core of Windows enterprise attack methodology for the better part of a decade. The tools to exploit them — Mimikatz, BloodHound, Rubeus, Impacket — have been publicly available for years. The vulnerabilities disclosed this week are new instances of a recurring pattern rather than a category of attack that defenders are encountering for the first time.
This raises an uncomfortable question. If the attack techniques are well understood, the tools are publicly available, and the pattern has been consistent for years, why does Active Directory remain so consistently exploitable in enterprise environments?
The Architecture Problem
Active Directory was designed in the late 1990s for a different threat model. The design assumption was a trusted internal network where domain controllers were accessible only to authorised administrators and domain-joined workstations. Authentication protocols, including Kerberos itself, were designed to be fast and functional within that trusted perimeter. Security was a secondary concern to interoperability and administrative simplicity.
That perimeter assumption has not been valid for most enterprise environments for at least fifteen years. Remote working, cloud integration, third-party access, and the general dissolution of network perimeter controls mean that domain controllers in many organisations are reachable by a far broader range of systems and identities than the architecture assumed. The protocols still behave as though the network is trusted. The network is not.
Kerberos RC4-HMAC — the algorithm involved in this week’s CVE — is a legacy encryption mode that Microsoft has been trying to deprecate for years. It remains enabled by default in most environments because removing it breaks authentication for older systems, applications, and devices that have not been updated to support modern encryption modes. Every environment that has deferred that migration has a Kerberos attack surface that could have been substantially reduced.
The Tiering Problem
Active Directory privilege escalation attacks succeed because of a fundamental misalignment between how organisations structure their identity environment and what effective containment would require.
In a well-tiered Active Directory environment — following Microsoft’s own published guidance on tiered administration — domain administrator accounts are used exclusively on domain controllers and are never used to authenticate to lower-tier systems. Workstations and member servers sit in a separate tier where administrator credentials have no path to domain controller compromise. The compromise of a workstation cannot cascade to domain administrator.
In practice, most enterprise environments are not tiered in this way. Domain administrator accounts are used for routine administrative tasks across the estate. Service accounts with high privileges are granted access far beyond what their function requires. Credential caches on member servers contain hashes that, extracted by an attacker with local administrator access, provide lateral movement paths to domain controller. BloodHound, the open-source AD attack path mapping tool, visualises these paths; in most environments it finds them in minutes.
The tiering model exists. The guidance is published and detailed. Implementing it is genuinely difficult — it requires re-engineering administrative workflows that have accumulated over years, retraining administrators, and accepting operational friction in exchange for security improvement. Most organisations have not done it.
The Patching Problem
When a Kerberos or Active Directory CVE is disclosed, the standard recommendation is to apply the patch. This is correct and necessary. It is not sufficient.
Patching the specific vulnerability does not address the architectural conditions that make the vulnerability exploitable. An attacker who cannot use CVE-2026-24297 to forge a Kerberos ticket can still use pass-the-hash against cached credentials on a member server. An attacker who cannot use the specific privilege escalation path in CVE-2026-25177 can still use BloodHound to find another. The patch fixes the vulnerability. The attack surface remains.
This is not an argument against patching — it is an argument for treating patching as a minimum necessary control rather than a sufficient one. Organisations that patch AD vulnerabilities without addressing the underlying configuration and architecture problems are continuously one new CVE away from the same exposure they just remediated.
What Would Actually Help
The controls that would most substantially reduce Active Directory exposure are neither new nor secret. They are consistently documented and consistently under-implemented.
Privilege tiering — separating domain administrator, server administrator, and workstation administrator identities so that compromise at one tier cannot cascade to another — is the single highest-leverage architectural control for Active Directory environments. The operational cost is real; the security improvement is substantial.
Protected Users security group membership for all privileged accounts prevents credential caching, Kerberos delegation abuse, and RC4-HMAC downgrade attacks for accounts enrolled in the group. It is a built-in AD feature, available since Windows Server 2012 R2, that most organisations have not enabled for their administrative accounts.
Attack path monitoring, using tools like BloodHound Enterprise or equivalent, provides continuous visibility into the privilege escalation paths that exist in the current environment. This transforms the posture from “we patched the disclosed CVE” to “we can see the paths an attacker would use and we are closing them proactively.”
The vulnerabilities disclosed this week will be patched. New ones will follow. Active Directory’s attack surface will remain wide until organisations address the configuration and architecture problems that make each new CVE exploitable — and those problems are not fixed by patching alone.
Share this article