Researchers at NetSPI detailed a spoofing vulnerability (CVE-2025-26685) in Microsoft Defender for Identity (MDI). This flaw, while not weaponizable in isolation, becomes dangerous when paired with other vulnerabilities, potentially giving attackers unauthenticated privilege escalation into Active Directory environments.
The vulnerability originates from how the MDI sensor, which monitors lateral movement paths, queries systems in the network. NetSPI demonstrated that an attacker with network access could impersonate a target system and manipulate the SAM-R protocol, causing MDI to authenticate back to the attacker’s machine.
“The authentication is done using the SAM-R protocol where authentication can be downgraded from Kerberos to NTLM and results in the DSA’s Net-NTLM hash being captured,” the analysis notes.
Once captured, the Net-NTLM hash can be subjected to offline cracking or used in NTLM relay attacks, allowing the attacker to request a Kerberos TGT or even obtain a certificate via ADCS misconfigurations.
For successful exploitation of this vulnerability, two preconditions must be met:
- The attacker’s system must be registered in DNS, either manually or via Windows DHCP integration.
- The attacker must trigger a specific Windows Event ID by initiating a null session connection to the Domain Controller.
This triggers the MDI sensor to authenticate to the attacker’s system, where the hash is captured.
“The MDI sensor will authenticate to the attacker’s system and attempt to map LMPs by querying members of the Local Administrators group,” NetSPI explains.
In lab demonstrations, NetSPI used tools like Impacket, Certipy, and NetExec to elevate privileges by combining CVE-2025-26685 with known ADCS vulnerabilities such as ESC8. The attacker relays the captured hash to request a certificate in the DSA’s context, ultimately enabling domain-level enumeration or manipulation.
Microsoft recommends migrating from the classic MDI sensor to the unified XDR sensor (v3.x), which avoids the vulnerable SAM-R protocol altogether.
“The classic MDI sensor will no longer use SAM-R queries and will be replaced with WMI queries that are locked to Kerberos authentication,” the report states.
Additional defenses include:
- Provisioning DSA as a gMSA (group-managed service account) to reduce offline cracking risk.
- Disabling LMPs data collection via Microsoft support if not operationally necessary.
- Monitoring Event ID 4624 and anomalous DSA authentication sources.
