Microsoft Fixes Windows LDAP Authentication Forwarding Privilege Escalation
Microsoft disclosed and patched CVE-2017-8563, an elevation-of-privilege flaw in Windows LDAP authentication that could let a man-in-the-middle attacker forward authentication requests to a vulnerable LDAP server. The issue affects Windows LDAP servers, including systems running Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS), when they are configured to require signing or sealing on incoming connections.
The security update adds support for Extended Protection for Authentication, allowing affected LDAP servers to detect and block forwarded authentication attempts. Organizations using Windows-based directory services are advised to apply the Microsoft update and enable the protection to reduce the risk of authentication relay leading to privilege escalation in Active Directory environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2017-8563 and releases a security update
Microsoft disclosed CVE-2017-8563, a Windows elevation of privilege vulnerability involving LDAP authentication forwarding by a man-in-the-middle attacker. The security update added support for Extended Protection for Authentication so affected LDAP servers can detect and block forwarded authentication requests when enabled.
Sources
3 references tracked. Mallory keeps watching after this page renders.
KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure - Microsoft Support
support.microsoft.com
Open sourceCVE-2017-8563 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2017-8563 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Active Directory Domain Services Elevation of Privilege Flaw
Microsoft disclosed and patched **`CVE-2026-25177`**, an **Active Directory Domain Services (AD DS) Elevation of Privilege** vulnerability, through its Security Update Guide. The issue affects a core identity service used across Windows enterprise environments, where successful exploitation could allow an attacker to gain higher privileges within an AD-managed domain and increase control over affected systems or directory operations. The new advisory follows earlier Microsoft fixes for similar AD DS privilege-escalation bugs, including **`CVE-2022-34691`** and **`CVE-2021-42287`**, underscoring the continued security risk around domain controller and directory service weaknesses. Organizations running AD DS should prioritize Microsoft’s security updates, assess exposure across domain controllers, and review privileged account activity for signs of attempted abuse tied to elevation-of-privilege paths in Active Directory.
May 25, 2026
Microsoft Patches LSASS Elevation of Privilege Vulnerabilities
Microsoft released security updates for two **Local Security Authority Subsystem Service (LSASS)** elevation of privilege flaws, tracked as **`CVE-2022-21884`** and **`CVE-2022-30166`**. Both advisories identify weaknesses in the Windows component responsible for enforcing security policy and handling authentication, creating a path for attackers to gain higher privileges on affected systems. The vulnerabilities were published through Microsoft's Security Update Guide and security advisory portal, indicating that organizations running impacted Windows environments should prioritize the relevant patches. Because **LSASS** operates with highly sensitive privileges, successful exploitation could allow an attacker with existing access to elevate permissions and strengthen control over a compromised host.
Jun 23, 2026
Microsoft March Security Updates for Active Directory and SQL Server Privilege Escalation Flaws
Microsoft disclosed multiple **privilege escalation** vulnerabilities in core enterprise products, including **Active Directory Domain Services** and **SQL Server**, with public reporting highlighting network-reachable attack paths that require only authenticated or otherwise authorized access. **CVE-2026-25177** affects AD DS and was described as an elevation-of-privilege issue tied to improper restriction of file and resource names, enabling abuse of crafted Unicode characters to create duplicate `SPN` or `UPN` values. Reporting indicates this can interfere with Kerberos ticket handling, potentially causing denial of service, triggering fallback to **NTLM** where enabled, and ultimately enabling escalation to **SYSTEM**-level control in affected environments. Microsoft also disclosed **CVE-2026-21262** in **SQL Server**, an **Important**-rated flaw with a **CVSS 8.8** score that allows an authenticated attacker to elevate privileges to `sysadmin`, giving full control over the database instance. Public reporting said Microsoft assessed exploitation as **less likely** and had not observed active in-the-wild abuse at disclosure time, but noted the issue was publicly disclosed, increasing the risk of follow-on exploit development. Other referenced items about **ADCS ESC1**, **Cisco SD-WAN Manager**, and **n8n** concern separate products and unrelated vulnerabilities, while the standalone MSRC entry does not provide enough detail in the supplied content to confirm it is part of the same specific event.
Apr 16, 2026