CVE-2025-26685 – Spoofing to Elevate Privileges with Microsoft Defender for Identity
Posted: Sun Jun 15, 2025 6:06 am
NetSPI discovered a spoofing vulnerability in the Microsoft Defender for Identity (MDI) sensor that abused the Lateral Movement Paths (LMPs) feature and allowed an unauthenticated attacker on the local network to coerce and capture the Net-NTLM hash of the associated Directory Service Account (DSA), under specific conditions. When present with other vulnerabilities, the unauthenticated attacker can elevate privileges to the DSA account and obtain a foothold in the Active Directory environment. This blog covers how NetSPI identified CVE-2025-26685, reported the vulnerability to MSRC, and will also walk through replicating the vulnerability in a lab environment.
https://www.netspi.com/blog/technical-b ... 025-26685/
https://www.netspi.com/blog/technical-b ... 025-26685/