Member-only story
CVE-2025–21293 Alert: Active Directory Privilege Escalation Exploit Goes Public
A new Active Directory vulnerability is making waves in the cybersecurity world! Following the discovery of the zero-click OLE vulnerability in Microsoft Outlook (CVE-2025–21298), another high-risk flaw has emerged — CVE-2025–21293 in Active Directory Domain Services (AD DS).
A Proof-of-Concept (PoC) exploit is now publicly available, significantly increasing the risk of real-world attacks. This vulnerability allows attackers to escalate privileges to SYSTEM level, putting enterprise networks at serious risk. If left unpatched, cybercriminals could compromise entire Active Directory environments, leading to data breaches, ransomware attacks, and persistent backdoors.
🛑 What Is CVE-2025–21293? Understanding the AD DS Privilege Escalation Vulnerability
The Network Configuration Operators group in Active Directory Domain Services (AD DS) is a built-in local group in Windows servers and workstations. It allows limited network management without full admin rights.
🔹 What can members of this group do?
✅ Configure TCP/IP settings
✅ Enable/disable network adapters
✅ Renew/release DHCP leases
✅ Modify DNS settings
By default, this group has no members — but if an attacker gains access, things take a dangerous turn.
How Attackers Exploit Microsoft AD DS CVE-2025–21293
The CVE-2025–21293 vulnerability stems from misconfigured registry permissions assigned to the Network Configuration Operators group. This group has the CreateSubKey attribute for DnsCache and NetBT services, allowing members to create subkeys within specific registry keys.
Step-by-Step Exploitation Process:
1️⃣ Registry Manipulation — Attackers leverage the CreateSubKey attribute to register four performance monitoring subkeys:
- Library subkey — Defines the DLL used for performance monitoring.
- Open / Collect / Close subkeys — Specify function names for handling performance data.
