Cyberdudebivash

New Privilege Escalation Attack Bypasses Defenses on SMB/Active Directory.

, , , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Oct 30, 2025 (IST)

New Privilege Escalation Attack Bypasses Defenses on SMB/Active Directory

A critical domain-level flaw (CVE-2025-54918) combines NTLM/LDAP relay and coerced authentication to escalate from a standard domain user to SYSTEM — even in environments with hardened controls like signing and channel binding. CyberDudeBivash Ecosystem:Apps & Services · Threat Intel (Blogger) · CryptoBivash · News Portal · Subscribe: ThreatWire

TL;DR — Domain Admin via Domain User: Urgent Hunt & Patch

  • Vulnerability: CVE-2025-54918 allows a domain user to escalate to SYSTEM via NTLM + LDAP bypass even if usual protections (SMB signing, channel binding) are in place. 
  • Impact: Complete Active Directory compromise from a low-privileged account; attacker can gain full control of domain.
  • Action: Search for abnormal NTLM/LDAP traffic (LOCAL_CALL flags, missing SEAL/SIGN flags), apply patches, review service account certificates, enforce hardware-backed keys. 

Contents

  1. Background & Attack Flow
  2. Technical Details of CVE-2025-54918
  3. Detection & Hunt Guidance
  4. Incident Response & Hardening
  5. FAQ
  6. Sources

Background & Attack Flow

In September 2025 researchers discovered CVE-2025-54918, which enables an attacker to escalate privileges in hybrid or on-premises Active Directory by chaining two well-known techniques: NTLM relay/coerced authentication + LDAP/LDAPS abuse. The clever part: the attacker can bypass NTLM signing/sealing and channel-binding mitigations previously considered effective. 

Technical Details of CVE-2025-54918

Coerced Authentication

An attacker triggers a machine (often a domain controller) to authenticate to a system under attacker control — this gives the attacker the domain controller machine account’s NTLM handle. 

NTLM Relay & LDAP Exploit

The captured authentication is manipulated: the attacker removes SEAL/SIGN flags and uses the machine account to bind to LDAP/LDAPS on the DC with elevated rights — gaining SYSTEM or equivalent domain control. 

Why Existing Defenses Fail

  • Channel binding and LDAP signing previously blocked many relay paths — this exploit bypasses them. 
  • Standard NTLM protections assume human user-bound contexts; here, the machine account is weaponized.

Detection & Hunt Guidance

Deploy these immediately in your SIEM/EDR systems:

  • **Monitor NTLM authentications**: Look for events where the LOCAL_CALL flag is set (which is unusual for network-based authentication). 
  • **Check LDAP/LDAPS binds from machine accounts**: Filter for machine accounts performing LDAP binds or modifications. 
  • **Missing SEAL/SIGN flags**: For sessions where signing/sealing should be present (see domain policy), flag missing flags in NTLM/LDAP logs. 
  • **Rapid token usage after sync**: Immediately after an AD sync operation, look for unusual role assignments or service-principal creation.

Incident Response & Hardening

  1. Patch immediately: Apply vendor updates addressing CVE-2025-54918 (check Microsoft KB for domain controllers).
  2. Rotate machine-account secrets: Especially for domain controllers, and review service-account certificate exports.
  3. Enforce hardware-backed keys for critical privilege accounts to block token forging.
  4. Audit permissions: Restrict which machine accounts can authenticate via LDAP; implement Tiering.
  5. Segment identity systems: Network-segregate DCs, force MFA for admin role-use, monitor lateral movement to DCs early.

FAQ

Does this require TPM or special hardware?

No, the exploit uses standard domain-level services (NTLM, LDAP) and works on widely used environments without special hardware.

Are hybrid Azure/Entra ID environments affected?

Yes. The research covers on-premises AD controllers and hybrid environments where AD sync is active. 

Is user interaction needed?

In some phases, yes (to obtain domain user creds or script execution), but once foothold is gained, escalation can proceed without further user interaction. 

Sources

  • CrowdStrike — “From Domain User to SYSTEM: Analyzing the NTLM LDAP Authentication Bypass Vulnerability (CVE-2025-54918)”, Oct 22 2025. 
  • GBHackers — “New Attack Chains: Ghost SPNs and Kerberos Reflection to Privilege Escalation (CVE-2025-58726)”, Oct 30 2025.
  • SDT.co.id — “New Active Directory Attack Method Bypasses Authentication to Steal Data”, Aug 8 2025. 

Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com | ThreatWire

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

 #CyberDudeBivash #CyberBivash #ActiveDirectory #SMB #NTLM #CVE202554918 #PrivilegeEscalation #ThreatWire

Leave a comment

Design a site like this with WordPress.com
Get started