CVE-2025-21293 is a privilege escalation vulnerability in Microsoft Active Directory Domain Services (AD DS) that allows attackers to gain SYSTEM-level privileges within a Windows environment.
The vulnerability arises from the misconfigured permissions granted to the built-in Network Configuration Operators group, which by default can create registry subkeys for critical system services such as DnsCache (DNS Client Service) and NetBT (NetBIOS over TCP/IP Service) without needing full administrative rights. This overpermissive setting enables an attacker who is a member of this group to register malicious Dynamic Link Libraries (DLLs) using Windows Performance Counters, which are then executed with SYSTEM privileges, effectively giving the attacker full control over the affected system.
How the Exploit Works:
- The attacker leverages the “CreateSubKey” permission in the Network Configuration Operators group to modify the Windows registry keys associated with performance monitoring services.
- They register malicious DLLs as performance counter libraries linked to services like DnsCache.
- When these performance counters are queried (e.g., via WMI), Windows loads and executes these DLLs with SYSTEM-level privileges, enabling privilege escalation from a limited network configuration role to full system control.
Impact:
As Active Directory is essential for identity and access management in corporate networks, an attacker exploiting this vulnerability could elevate local privileges on a machine, allowing for credential harvesting efforts by dumping SAM and LSASS secrets, followed by lateral movement opportunities and potential escalation to domain compromise.
Affected Windows Versions:
- Windows 10 (32-bit) – version 1607, version 1809, 21H2, 22H2
- Windows 10 (64-bit) – version 1607, version 1809, 21H2, 22H2
- Windows 10 (ARM64) – 21H2, 22H2
- Windows 11 (64-bit) – 22H2, 23H2, 24H2
- Windows 11 (ARM64) – 22H2, 23H2, 24H2
- Windows Server – 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025
Remediation Guidelines:
- Microsoft released a security patch (linked under references) for this vulnerability in its January 2025 Patch Tuesday update. It is strongly recommended that all organizations using Active Directory Domain Services apply this patch immediately to mitigate the risk.
- Administrators should verify that only trusted users are members of the Network Configuration Operators group, as membership grants sensitive privileges that could be exploited.
The CVE-2025-21293 vulnerability underscores the importance of reviewing and tightening default group permissions in Active Directory environments and keeping security patches up to date to prevent privilege escalation attacks.
Contact NaviSec to set up a time to talk about our penetration testing services, ensuring proactive measures are taken to secure your Windows environment following best industry security practices.
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21293