Full Report
Microsoft says the April 2025 security updates are causing authentication issues on some Windows Server 2025 domain controllers. [...]
Analysis Summary
# Incident Report: Kerberos Authentication Bypass via Vulnerable Windows Updates
## Executive Summary
This event details intermittent security incidents stemming from Microsoft's April security updates which introduced a vulnerability (CVE-2025-26647) in Kerberos authentication across various Windows Server versions. The vulnerability allows an authenticated attacker to exploit a weakness in the Key Distribution Center (KDC) to obtain elevated rights via a forged certificate, potentially leading to unauthorized access or credential theft, mitigated via a specific registry modification.
## Incident Details
- Discovery Date: During or shortly after the April updates were released (implied, as the issue is tied to the updates).
- Incident Date: April (implied by association with "April updates").
- Affected Organization: Any entity running domain-connected Windows Servers (Windows 2000 and later) patched with the affected April updates.
- Sector: Broad impact across any sector utilizing Windows Server Active Directory.
- Geography: Global (where affected Windows Servers are deployed).
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but tied to the deployment of the April security updates.
- Vector: Exploitation of a flaw in the Kerberos Key Distribution Center (KDC) authentication protocol following the installation of the update.
- Details: The vulnerability (CVE-2025-26647) allows an authenticated attacker to bypass intended certificate restrictions.
### Lateral Movement
- Details: An attacker, exploiting the vulnerability, could obtain a Ticket Granting Ticket (TGT) for a target user by acquiring a certificate containing the target Subject Key Identifier (SKI) value from a Certificate Authority (CA). This implies lateral movement potential by impersonating authorized users.
### Data Exfiltration/Impact
- Details: The impact involves an authenticated attacker being assigned "much greater rights by the Key Distribution Center to the certificate than intended," suggesting privilege escalation and unauthorized access/data exposure.
### Detection & Response
- Detection: Microsoft detected and acknowledged the issue, leading to public disclosure and guidance.
- Response Actions: Microsoft provided a workaround advising customers to modify the `AllowNtAuthPolicyBypass` registry value to "1" in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc`.
## Attack Methodology
- Initial Access: Exploiting the vulnerable Kerberos authentication mechanism post-patching.
- Persistence: Not explicitly detailed, but successful exploitation grants a TGT, which inherently grants temporary session persistence.
- Privilege Escalation: **Achieved by exploiting the vulnerability related to the Subject Key Identifier (SKI) in certificates processed by the KDC, resulting in the assignment of greater rights.**
- Defense Evasion: Not explicitly detailed, but successful TGT issuance appears to bypass standard authorization checks.
- Credential Access: Obtaining a forged certificate containing the target SKI.
- Discovery: Not applicable, as this is a patch-related vulnerability exploitation, not network reconnaissance.
- Lateral Movement: Obtaining a TGT for a target user.
- Collection: Implied, as greater rights would enable access to sensitive resources.
- Exfiltration: Not explicitly detailed, but a potential outcome of escalated privileges.
- Impact: Operational disruption due to authentication issues, and potential for unauthorized access/rights abuse.
## Impact Assessment
- Financial: Not quantified, but repair costs (patching/remediation) and potential fallout from unauthorized access would apply.
- Data Breach: Potential for unauthorized access to data/systems belonging to targeted users.
- Operational: Initial reports cite general "Windows Server auth issues," suggesting broad service disruption until mitigation is applied.
- Reputational: Potential negative impact on organizations experiencing authentication failures.
## Indicators of Compromise
- Network indicators: N/A (Focus is on the internal KDC process).
- File indicators: N/A (This is a configuration/logic vulnerability).
- Behavioral indicators: Anomalous TGT requests or unusual privilege assignments confirmed by KDC logs.
## Response Actions
- Containment Measures: Immediate mitigation involves applying the registry workaround: Setting `AllowNtAuthPolicyBypass` from "2" to "1" in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc`.
- Eradication Steps: N/A (This is a vulnerability induced by a patch, eradication is achieved by configuration change or subsequent official fix).
- Recovery Actions: Implementing the registry change across all affected domain controllers and servers.
## Lessons Learned
- Key takeaways: Patches, even security updates, require rigorous pre-deployment testing, especially concerning core authentication services like Kerberos, as post-patch issues can cause widespread outages or introduce new security weaknesses.
- What could have been done better: Microsoft should have identified the potential for privilege escalation via certificate manipulation before deploying the update broadly.
## Recommendations
- Prevention measures for similar incidents: Implement robust testing environments that simulate worst-case authentication scenarios before pushing updates to production Active Directory infrastructure. Maintain awareness of workarounds provided by vendors for newly discovered patch defects.