Microsoft Patches Active Directory Domain Services Elevation of Privilege Flaw
Microsoft disclosed and patched CVE-2026-25177, an Active Directory Domain Services (AD DS) Elevation of Privilege vulnerability, through its Security Update Guide. The issue affects a core identity service used across Windows enterprise environments, where successful exploitation could allow an attacker to gain higher privileges within an AD-managed domain and increase control over affected systems or directory operations.
The new advisory follows earlier Microsoft fixes for similar AD DS privilege-escalation bugs, including CVE-2022-34691 and CVE-2021-42287, underscoring the continued security risk around domain controller and directory service weaknesses. Organizations running AD DS should prioritize Microsoft’s security updates, assess exposure across domain controllers, and review privileged account activity for signs of attempted abuse tied to elevation-of-privilege paths in Active Directory.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2026-25177 in Active Directory Domain Services
Microsoft published a Security Update Guide entry for CVE-2026-25177, describing an Active Directory Domain Services elevation of privilege vulnerability.
Microsoft discloses CVE-2022-34691 in Active Directory Domain Services
Microsoft published a Security Update Guide entry for CVE-2022-34691, another Active Directory Domain Services elevation of privilege vulnerability.
Microsoft discloses CVE-2021-42287 in Active Directory Domain Services
Microsoft published a Security Update Guide entry for CVE-2021-42287, an Active Directory Domain Services elevation of privilege vulnerability.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-25177 - Security Update Guide - Microsoft - Active Directory Domain Services Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-34691 - Security Update Guide - Microsoft - Active Directory Domain Services Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2021-42287 - Security Update Guide - Microsoft - Active Directory Domain Services Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft March Security Updates for Active Directory and SQL Server Privilege Escalation Flaws
Microsoft disclosed multiple **privilege escalation** vulnerabilities in core enterprise products, including **Active Directory Domain Services** and **SQL Server**, with public reporting highlighting network-reachable attack paths that require only authenticated or otherwise authorized access. **CVE-2026-25177** affects AD DS and was described as an elevation-of-privilege issue tied to improper restriction of file and resource names, enabling abuse of crafted Unicode characters to create duplicate `SPN` or `UPN` values. Reporting indicates this can interfere with Kerberos ticket handling, potentially causing denial of service, triggering fallback to **NTLM** where enabled, and ultimately enabling escalation to **SYSTEM**-level control in affected environments. Microsoft also disclosed **CVE-2026-21262** in **SQL Server**, an **Important**-rated flaw with a **CVSS 8.8** score that allows an authenticated attacker to elevate privileges to `sysadmin`, giving full control over the database instance. Public reporting said Microsoft assessed exploitation as **less likely** and had not observed active in-the-wild abuse at disclosure time, but noted the issue was publicly disclosed, increasing the risk of follow-on exploit development. Other referenced items about **ADCS ESC1**, **Cisco SD-WAN Manager**, and **n8n** concern separate products and unrelated vulnerabilities, while the standalone MSRC entry does not provide enough detail in the supplied content to confirm it is part of the same specific event.
Apr 16, 2026
Microsoft Fixes Windows LDAP Authentication Forwarding Privilege Escalation
Microsoft disclosed and patched **CVE-2017-8563**, an elevation-of-privilege flaw in Windows LDAP authentication that could let a man-in-the-middle attacker forward authentication requests to a vulnerable LDAP server. The issue affects Windows LDAP servers, including systems running **Active Directory Domain Services (AD DS)** and **Active Directory Lightweight Directory Services (AD LDS)**, when they are configured to require signing or sealing on incoming connections. The security update adds support for **Extended Protection for Authentication**, allowing affected LDAP servers to detect and block forwarded authentication attempts. Organizations using Windows-based directory services are advised to apply the Microsoft update and enable the protection to reduce the risk of authentication relay leading to privilege escalation in Active Directory environments.
May 25, 2026
Microsoft Patches Multiple Windows Elevation-of-Privilege Flaws in Networking Components
Microsoft disclosed and patched several Windows elevation-of-privilege vulnerabilities affecting networking-related components, including **Windows Remote Access Connection Manager**, **Windows SMB Server**, and **Network Connection Status Indicator (NCSI)**. The issues tracked as `CVE-2025-62474`, `CVE-2025-62472`, `CVE-2025-47955`, `CVE-2025-59201`, and `CVE-2025-58726` could allow attackers with limited access to gain higher privileges on targeted systems, extending a pattern of privilege-escalation risk previously seen in the same Remote Access Connection Manager component with `CVE-2022-21914`. Among the disclosed flaws, Microsoft provided additional detail for **`CVE-2025-58726`**, describing an **Important** improper access control issue in **Windows SMB Server** that can let an authorized low-privilege attacker elevate to **SYSTEM** over the network by coercing a victim machine to authenticate to an attacker-controlled SMB server using a specially crafted script. Microsoft assigned the bug **CWE-284** and a **CVSS v3.1 score of 7.5**, said exploitation required specific conditions involving an unused or nonexistent Service Principal Name on the target, and stated that the vulnerability was neither publicly disclosed nor exploited in the wild at publication and that a security fix was available.
May 25, 2026