CVE-2025-58726 is a critical elevation of privilege vulnerability affecting Windows SMB servers, where unpatched systems can be targeted through Ghost SPNs and Kerberos authentication reflection. The flaw, discovered by Semperis and confirmed as ‘Important’ by Microsoft, enables attackers to gain remote SYSTEM-level access by hijacking ghost SPN entries and executing Kerberos ticket relaying. This vulnerability persists in setups with default Active Directory configurations and can lead to domain dominance if exploited against Tier 0 assets, such as Active Directory Certificate Services.
The vulnerability’s mechanics rely on domain users’ privileges, allowing them to create DNS entries that facilitate Kerberos ticket requests without proper safeguards. Microsoft’s proposed mitigation strategies focus on updating the srv2.sys driver, enforcing SMB signing via Group Policy, and auditing SPNs. The urgent need for these measures is highlighted by reports indicating that ghost SPNs exist in over 70% of audited environments, emphasizing the necessity for proactive AD hygiene and effective monitoring against evolving threats in Kerberos authentication.
👉 Pročitaj original: Cyber Security News
