CVE-2022-26925

Q: What is the severity of CVE-2022-26925?

CVE-2022-26925 has a CVSS score of 8.1 (HIGH). CVE-2022-26925 is a Windows Local Security Authority (LSA) spoofing vulnerability that allows an authenticated attacker to impersonate any user on a domain controller, potentially gaining elevated privileges. This affects Windows domain controllers and servers running vulnerable versions. Attackers can exploit this to compromise domain controllers and move laterally across networks.

8.1 HIGH

📋 TL;DR

CVE-2022-26925 is a Windows Local Security Authority (LSA) spoofing vulnerability that allows an authenticated attacker to impersonate any user on a domain controller, potentially gaining elevated privileges. This affects Windows domain controllers and servers running vulnerable versions. Attackers can exploit this to compromise domain controllers and move laterally across networks.

💻 Affected Systems

Products:

Windows Server
Windows

Versions: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2 SP1, Windows 11, Windows 10

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects domain controllers and servers with Active Directory Domain Services role. Workstations are less likely targets but may be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete domain compromise where attackers gain domain administrator privileges, control all domain resources, and establish persistence across the entire Active Directory environment.

🟠

Likely Case

Lateral movement within the network, privilege escalation to domain administrator, and credential theft from domain controllers.

🟢

If Mitigated

Limited to authenticated users with network access to domain controllers, with monitoring detecting unusual authentication patterns.

🌐 Internet-Facing: LOW - Requires authenticated access to domain controllers, which typically shouldn't be internet-facing.

🏢 Internal Only: HIGH - Domain controllers are internal infrastructure, and authenticated attackers can exploit this from within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to a domain controller. Microsoft confirmed active exploitation in the wild. Attackers can use standard Windows APIs to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 10, 2022 security updates (KB5013942, KB5013943, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925

Restart Required: Yes

Instructions:

1. Apply May 2022 Windows security updates from Microsoft Update Catalog. 2. For domain controllers, install updates during maintenance windows. 3. Verify all domain controllers are patched. 4. Consider deploying through WSUS or SCCM for enterprise environments.

🔧 Temporary Workarounds

Restrict NTLM Authentication

windows

Configure domain controllers to restrict NTLM authentication which may reduce attack surface

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Incoming NTLM traffic

Network Segmentation

all

Isolate domain controllers from general user networks and implement strict access controls

🧯 If You Can't Patch

Implement strict access controls to domain controllers - only allow necessary administrative access
Enable enhanced auditing and monitoring for authentication events on domain controllers

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"

Check Version:

wmic os get caption,version,buildnumber

Verify Fix Applied:

Verify KB5013942 or later May 2022 security updates are installed: wmic qfe list | findstr "5013942"

📡 Detection & Monitoring

Log Indicators:

Windows Security event ID 4624 with unusual source network addresses
Event ID 4672 (Special privileges assigned to new logon) from unexpected sources
Multiple authentication attempts with different credentials from same source

Network Indicators:

Unusual Kerberos or NTLM traffic patterns to domain controllers
Authentication requests from non-admin workstations to multiple domain controllers

SIEM Query:

source="WinEventLog:Security" (event_id=4624 OR event_id=4672) | stats count by src_ip, user | where count > threshold

📊 Metadata

CVE ID: CVE-2022-26925

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: May 10, 2022

Last Updated: October 30, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26925 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26925 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1909 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft