Sky-Knight
Well-Known Member
- Reaction score
- 5,570
- Location
- Arizona
Anyone with 2012 or older DCs left in their environment, this bug means AD may as well not exist.
msrc.microsoft.com
Also, to be clear the CVE talks about AD, but it's actually a bug with the permissions associated with the Network Configuration Operators Group. This is a default group on all Windows systems, and this situation allows for an escalation to System privileges, and from there to root.
Picus has a solid write up on it: https://www.picussecurity.com/resou...rvices-cve-2025-21293-vulnerability-explained
But the super short version is, any Windows systems that are not patched as of Feb 2025 are vulnerable in such a way as to invalidate any user access controls at all.
Please, patch your stuff.
Please alert your customers.
Yes, my SOC is seeing this exploited in the wild.
Note: There is an update roll up for Windows Server 2012, but you have to be enrolled in ESU to get it.
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
Also, to be clear the CVE talks about AD, but it's actually a bug with the permissions associated with the Network Configuration Operators Group. This is a default group on all Windows systems, and this situation allows for an escalation to System privileges, and from there to root.
Picus has a solid write up on it: https://www.picussecurity.com/resou...rvices-cve-2025-21293-vulnerability-explained
But the super short version is, any Windows systems that are not patched as of Feb 2025 are vulnerable in such a way as to invalidate any user access controls at all.
Please, patch your stuff.
Please alert your customers.
Yes, my SOC is seeing this exploited in the wild.
Note: There is an update roll up for Windows Server 2012, but you have to be enrolled in ESU to get it.
