In the ever-evolving world of cybersecurity, it’s not always the loudest exploits that do the most damage. Sometimes, it’s the silent ones hidden in routine tools that breach the deepest. A newly disclosed vulnerability (CVE-2025–26685) in Microsoft Defender for Identity (MDI) has drawn just such a line in the sand.
Though rated a modest 6.5 on the CVSS scale, this spoofing flaw has implications that ripple far beyond its score. It exploits the Lateral Movement Paths (LMPs) feature in MDI, using it as an unguarded corridor into an organization’s most sensitive territories Active Directory environments.
A Breach Born from Trust
At the core of this vulnerability lies MDI’s reliance on SAM-R protocol queries to map lateral movement. A feature designed to defend has now become a backdoor. By triggering anonymous SMB connections to Domain Controllers, attackers can coerce MDI sensors into authenticating using outdated NTLM protocols, an act that leaks the very hashes meant to stay secret.
All it takes is a DNS-mapped attacker-controlled host and some well-timed event logs. Once the door is cracked open, the rest follows a chillingly methodical path.
Exploitation in Plain Sight
Using tools like Impacket and Certipy, attackers can:
- Spin up an SMB server and await connections.
- Trigger NTLM authentication by initiating a null session.
- Capture the Net-NTLM hash of the Directory Service Account (DSA).
- Relay the captured hash to an AD Certificate Services (ADCS) Web Enrollment endpoint using a known ESC8 vulnerability.
- Acquire a malicious certificate and with it, DSA-level privileges.
From there, they gain access to Active Directory’s Deleted Objects Container, potentially reconstructing the entire domain topology and traversing it undetected.
Implications That Linger
The vulnerability goes far beyond hash theft:
- Privilege Escalation becomes trivial if hashes are cracked or relayed.
- Malicious Certificates can now be forged using legitimate systems.
- Lateral Movement expands rapidly, turning a sensor node into a threat amplifier.
The Clues Left Behind
Organizations monitoring Windows Event Logs should watch closely for:
- Unusual authentications to DSA accounts.
- Certificate requests using authentication type 161.
- Enumeration of certificate templates from non-standard IPs.
These signs may be subtle, but they offer early warnings that something is out of place.
The Path to Protection
Microsoft’s remediation is twofold:
- Migration to Unified XDR Sensors These rely solely on Kerberos and behavioral analytics, eliminating the NTLM exposure.
- Conversion to Group Managed Service Accounts (gMSAs) These reduce risk by eliminating password-based authentication.
Disabling LMPs altogether can also be considered if your environment isn’t compatible with these changes.
A Hidden Web of Exploits
This disclosure reminds us that cybersecurity isn’t just about patches and firewalls, it’s about understanding the ecosystem itself. When a monitoring tool designed to prevent lateral movement becomes a tool for achieving it, organizations must rethink their trust assumptions.
Conclusion
CVE-2025–26685 is a call to action not just to patch, but to question. How much access do your tools really have? Could a helpful feature become an overlooked liability? In an age where social engineering and chained vulnerabilities are rising in complexity and scale, the answers to these questions could define your organization’s security future.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
- Active Directory & Identity System Audits
- Sensor & Endpoint Security Hardening
- Mitigation planning for social engineering and NTLM relay attacks
As social engineering and chained exploits like this grow more advanced, COE Security works proactively with clients to close unseen gaps, evaluate identity infrastructure, and modernize sensor deployments to avoid downstream compromise.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and stay one step ahead in a world where trust is often the first vulnerability.