CVE-2022-26925 Overview
CVE-2022-26925 is a Windows Local Security Authority (LSA) Spoofing Vulnerability that affects a wide range of Microsoft Windows operating systems. This vulnerability allows an unauthenticated attacker to coerce the domain controller to authenticate against another server using NTLM, enabling relay attacks that can lead to domain compromise. The vulnerability is particularly dangerous when combined with NTLM relay attacks against Active Directory Certificate Services (AD CS), potentially allowing attackers to gain domain administrator privileges.
Critical Impact
This vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. When chained with NTLM relay attacks, it can enable complete Active Directory domain compromise.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 20H2
- Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
Discovery Timeline
- May 10, 2022 - CVE-2022-26925 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2022-26925
Vulnerability Analysis
CVE-2022-26925 is classified under CWE-306 (Missing Authentication for Critical Function), representing a fundamental weakness in the Windows LSA authentication mechanism. The vulnerability resides in how Windows handles certain authentication requests, allowing attackers to force domain controllers to authenticate using NTLM to attacker-controlled servers.
The attack leverages the Windows LSA's handling of authentication coercion, where an attacker can trigger the domain controller to initiate an NTLM authentication request to an arbitrary destination. This vulnerability is particularly impactful in enterprise environments because it targets the core authentication infrastructure of Windows domains.
When exploited in combination with NTLM relay techniques, particularly against AD CS web enrollment endpoints, attackers can obtain certificates that enable domain administrator access. The network-based attack vector with no required privileges or user interaction makes this vulnerability especially dangerous for organizations with exposed internal services.
Root Cause
The root cause of CVE-2022-26925 is a missing authentication check for critical functions within the Windows Local Security Authority subsystem. The LSA fails to properly validate authentication requests, allowing unauthenticated attackers to trigger authentication attempts from privileged system accounts, including the domain controller's machine account.
This design flaw enables attackers to leverage the implicit trust relationships in Windows authentication protocols. The lack of proper validation allows coercion of authentication credentials that can be relayed to other services accepting NTLM authentication.
Attack Vector
The attack exploits the network-accessible LSA interface to coerce NTLM authentication from domain controllers. An attacker positioned on the network can send specially crafted requests to the target system, causing it to initiate an NTLM authentication attempt to an attacker-controlled server.
The attack flow typically involves:
- An attacker sending a coercion request to the target domain controller
- The domain controller initiating an NTLM authentication to the attacker's server
- The attacker relaying the captured NTLM authentication to a vulnerable service
- When targeting AD CS, the attacker can request a certificate for the domain controller's account
- Using the obtained certificate, the attacker can authenticate as the domain controller and compromise the domain
This attack is particularly effective against environments that have not implemented EPA (Extended Protection for Authentication) or have AD CS web enrollment enabled without proper protections.
Detection Methods for CVE-2022-26925
Indicators of Compromise
- Unusual NTLM authentication requests originating from domain controllers to non-standard destinations
- Anomalous certificate requests from domain controller machine accounts in AD CS logs
- Unexpected outbound SMB connections from domain controllers to unknown IP addresses
- Authentication events showing relay patterns in Windows Security event logs (Event ID 4624)
Detection Strategies
- Monitor Event ID 4624 for NTLM authentication attempts from domain controllers to suspicious destinations
- Implement network monitoring to detect unexpected outbound connections from domain controllers on ports 445, 139, and 80/443
- Audit AD CS certificate issuance logs for certificates requested by machine accounts
- Deploy endpoint detection rules to identify LSA coercion behavior patterns
Monitoring Recommendations
- Enable verbose logging on domain controllers and AD CS servers to capture authentication flow details
- Configure SIEM rules to alert on NTLM relay patterns and unusual certificate requests
- Implement network segmentation monitoring to detect lateral movement attempts following exploitation
- Regularly review domain controller outbound connection logs for anomalous behavior
How to Mitigate CVE-2022-26925
Immediate Actions Required
- Apply Microsoft security updates from the May 2022 Patch Tuesday release immediately
- Enable Extended Protection for Authentication (EPA) on AD CS web enrollment services
- Disable NTLM authentication where possible and enforce Kerberos
- Implement LDAP signing and channel binding on domain controllers
Patch Information
Microsoft has released security updates to address CVE-2022-26925 as part of the May 2022 security updates. Administrators should apply the appropriate patches for their Windows versions immediately. For detailed patch information and download links, refer to the Microsoft Update Guide for CVE-2022-26925.
Note that Microsoft has provided specific guidance on mitigating NTLM relay attacks in conjunction with this vulnerability. Organizations should review the Microsoft Security Advisory for comprehensive remediation steps.
Workarounds
- Disable NTLM authentication on domain controllers and enforce Kerberos authentication
- Enable EPA on all Certificate Authority web enrollment interfaces to prevent relay attacks
- Implement network segmentation to limit exposure of domain controllers to untrusted network segments
- Configure Windows Firewall to restrict outbound SMB and HTTP connections from domain controllers
# Enable EPA on AD CS web enrollment
# Run on Certificate Authority servers
certutil -setreg CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags +EDITF_ENABLEDEFAULTSMIME
# Configure LDAP channel binding
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" /v LdapEnforceChannelBinding /t REG_DWORD /d 2 /f
# Enable LDAP signing
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" /v LDAPServerIntegrity /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
