A new security vulnerability, designated as CVE-2025-26685, has been identified in Microsoft Defender for Identity, an Active Directory security solution used to detect identity-based threats. This vulnerability, rated as medium severity (CVSS score 6.5), allows attackers on an adjacent network to perform spoofing attacks, potentially leading to credential theft and privilege escalation in Active Directory environments.
Security researchers from NetSPI discovered the vulnerability, demonstrating that an attacker could coerce Defender for Identity sensors into authenticating to a malicious system, effectively stealing Net-NTLM authentication hashes that could then be relayed to gain higher privileges within Active Directory.
As identity-related attacks become more frequent, organizations relying on Defender for Identity must patch their deployments immediately to prevent potential exploitation.
- Technical Breakdown of CVE-2025-26685
🛑 Key Details
- Vulnerability Type: Improper Authentication Handling (CWE-287)
- CVSS Score: 6.5 (Medium Severity)
- Attack Vector: Adjacent Network
- Privileges Required: None
- User Interaction: None
- Impact: Confidentiality High, Integrity None, Availability None
- Exploitation Status: Confirmed vulnerability, high potential for privilege escalation.
📌 How the Attack Works
- Microsoft Defender for Identity sensors are installed on Domain Controllers – These sensors are designed to monitor authentication patterns and detect suspicious behavior.
- The sensor queries systems to enumerate local administrators – This normal functionality can be exploited.
- Attackers manipulate authentication requests – By controlling a system, attackers can force the sensor into authenticating to their malicious server, collecting Net-NTLM hashes in the process.
- Credential Relay Attack Possibility – If the attacker successfully captures NTLM hashes, they can relay authentication requests to access higher-privileged accounts in Active Directory.
This vulnerability highlights the dangers of NTLM authentication and its susceptibility to relay attacks, reinforcing the need for organizations to enforce Kerberos authentication.
- Affected Microsoft Defender for Identity Deployments
🖥️ Vulnerable Systems
📌 CVE-2025-26685 affects Defender for Identity sensors installed on Domain Controllers.
⚠️ Exploitation Risks if Left Unpatched
- Identity Spoofing & Credential Theft – Attackers can capture authentication hashes, leading to unauthorized access.
- Privilege Escalation in Active Directory – Exploited environments may allow attackers to gain domain administrator privileges.
- Lateral Movement & Persistence – Once inside a network, attackers can use stolen credentials to pivot deeper into enterprise infrastructure.
Organizations relying on Microsoft Defender for Identity should apply security updates immediately to mitigate this spoofing risk.
- Recommended Security Measures
✅ Immediate Mitigation Strategies
- Apply Microsoft’s Security Patch – Microsoft has released updates to fix CVE-2025-26685.
- Disable NTLM Authentication – Enforce Kerberos authentication to prevent NTLM relay attacks.
- Monitor for Exploitation Attempts – Audit logs for unexpected authentication requests originating from Defender for Identity sensors.
- Restrict Lateral Movement Paths (LMPs) – Modify Defender for Identity settings to limit unnecessary authentication queries.
Organizations should also conduct proactive security audits to ensure their active directory environments are hardened against identity-based attacks.
- Conclusion & Next Steps
CVE-2025-26685 is a serious authentication vulnerability that requires immediate action from organizations using Microsoft Defender for Identity. A delayed response could result in identity spoofing, privilege escalation, and unauthorized access to critical systems.
📢 Recommended Actions:
✔️ Apply Microsoft’s latest security updates to patch CVE-2025-26685.
✔️ Disable NTLM authentication to prevent credential relay attacks.
✔️ Monitor security logs for unusual authentication attempts.
