CVE-2025-21293: Windows 10 Privilege Escalation Vulnerability

CVE-2025-21293 Overview

CVE-2025-21293 is an elevation of privilege vulnerability in Active Directory Domain Services (AD DS) affecting supported versions of Windows and Windows Server. The flaw is classified under [CWE-284] Improper Access Control. An authenticated attacker with low privileges on the network can exploit weak access control to gain elevated rights within a domain.

Microsoft addressed the issue in the January 2025 Patch Tuesday release. The vulnerability impacts client editions of Windows 10 and 11 alongside Windows Server 2012 through Windows Server 2025, making domain-joined enterprises the primary risk population.

Critical Impact

A low-privileged domain user can escalate to higher privileges across Active Directory, exposing the confidentiality, integrity, and availability of identity infrastructure to compromise.

Affected Products

• Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
• Microsoft Windows 11 (22H2, 23H2, 24H2)
• Microsoft Windows Server 2012, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

• 2025-01-14 - CVE-2025-21293 published to the National Vulnerability Database
• 2025-01-14 - Microsoft releases security update via the Microsoft CVE-2025-21293 Advisory
• 2025-01-24 - Last updated in NVD database

Technical Details for CVE-2025-21293

Vulnerability Analysis

The vulnerability resides in Active Directory Domain Services, the core directory service used to manage authentication, authorization, and policy across Windows enterprises. AD DS exposes objects, attributes, and operations whose access is gated by security descriptors. Improper access control on a privileged object allows a standard authenticated user to perform operations reserved for higher-privileged principals.

Successful exploitation grants control over directory objects that influence privileged group membership, service principal configuration, or replication. From that position an attacker can move toward domain administrator rights. The attack is network-reachable, requires low attack complexity, and needs no user interaction, which raises the risk in flat enterprise networks where domain controllers are broadly reachable.

The EPSS probability for this CVE is unusually high relative to peer Microsoft elevation-of-privilege bugs, signalling active interest from exploit developers. Defenders should treat the issue as a near-term exploitation target even though Microsoft has not flagged in-the-wild attacks.

Root Cause

The root cause is improper access control [CWE-284] on a sensitive AD DS object or operation. The security descriptor or permission check governing the affected resource does not adequately restrict actions to privileged identities. A standard domain account with no special rights can therefore invoke functionality intended for administrators.

Attack Vector

The attack originates from any host that can reach a domain controller over standard AD protocols such as LDAP, RPC, or SMB. The attacker authenticates with valid domain credentials, then issues a sequence of directory operations against the misconfigured object. No social engineering or local access is required. Because the request path is the same as legitimate directory traffic, exploitation blends with normal user activity.

No verified public proof-of-concept code was available at the time of writing. See the Microsoft CVE-2025-21293 Advisory for vendor-supplied technical details.

// No verified exploitation code available.
// Refer to the Microsoft Security Response Center advisory for protocol-level details.

Detection Methods for CVE-2025-21293

Indicators of Compromise

• Modifications to highly privileged AD groups (Domain Admins, Enterprise Admins, Schema Admins, Administrators) originating from non-administrative accounts.
• Unexpected writes to security descriptors, nTSecurityDescriptor, or servicePrincipalName attributes on privileged objects.
• LDAP modify or DCOM/RPC calls from user workstations targeting domain controllers outside of normal administration windows.
• Newly created accounts that are immediately added to privileged groups or granted delegation rights.

Detection Strategies

• Enable and forward Windows Security event IDs 4662 (object access), 4670 (permissions changed), 4728/4732/4756 (group additions), and 5136 (directory object modified) from all domain controllers.
• Establish a baseline of which principals legitimately modify AD privileged objects, and alert on deviations.
• Hunt for chains of low-privileged authentication followed by directory writes against sensitive objects within a short time window.
• Correlate AD telemetry with endpoint process events to identify the originating tool, such as PowerShell, dsacls.exe, or custom LDAP clients.

Monitoring Recommendations

• Ingest domain controller security, directory service, and Sysmon logs into a central analytics platform with at least 90-day retention.
• Continuously monitor effective permissions on Tier 0 objects and alert on drift from the approved baseline.
• Track service ticket requests and AdminSDHolder changes to catch follow-on persistence after privilege gains.

How to Mitigate CVE-2025-21293

Immediate Actions Required

• Apply the January 2025 Microsoft security updates to all domain controllers and Windows endpoints, prioritizing Tier 0 assets.
• Audit privileged group membership and remove accounts that do not require standing administrative rights.
• Review and tighten access control entries on AdminSDHolder, sensitive OUs, and Group Policy objects.
• Reset passwords for accounts that show anomalous directory activity since the patch release date.

Patch Information

Microsoft released fixes for all affected client and server SKUs on 14 January 2025. Update binaries and KB identifiers per OS build are listed in the Microsoft CVE-2025-21293 Advisory. Domain controllers must be patched before workstations to close the elevation path within the directory itself.

Workarounds

• No vendor-supplied workaround replaces the patch. Apply the security update as the primary control.
• Restrict LDAP and RPC access to domain controllers using network segmentation and host firewall rules where operationally feasible.
• Enforce tiered administration so that day-to-day user accounts cannot authenticate to domain controllers.
• Require multi-factor authentication and just-in-time elevation for any account with directory write permissions.

# Verify the January 2025 cumulative update is installed on a domain controller
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10

# Audit non-default permissions on the AdminSDHolder container
Import-Module ActiveDirectory
$dn = (Get-ADDomain).DistinguishedName
(Get-Acl "AD:CN=AdminSDHolder,CN=System,$dn").Access |
  Where-Object { $_.IdentityReference -notmatch 'Domain Admins|Enterprise Admins|SYSTEM|Administrators' }