Source: Sebastian Sadeq Birke
A newly disclosed elevation of privilege vulnerability (CVE-2025-21293) in Active Directory Domain Services (AD DS) has been patched by Microsoft in its January 2025 security update. The vulnerability, discovered and reported by Sebastian Sadeq Birke of ReTest Security ApS, allows an attacker to escalate privileges to SYSTEM by abusing default Active Directory security groups and Windows performance monitoring mechanisms.
The vulnerability is rooted in Active Directory’s “Network Configuration Operators” group, a default security group automatically created when setting up on-premises domain controllers. This group is meant to grant users control over network interfaces without giving them full administrative rights. However, as Birke discovered, Microsoft left this group with excessive privileges, specifically the ability to create registry subkeys for sensitive services.
“For some reason, Microsoft left this old built-in group with one too many rights over the system,” researcher explained.
By leveraging Registry Key Security and Access Rights, the Network Configuration Operators group had the CreateSubKey attribute over two critical service-related registry keys:
- DnsCache (DNS Client Service)
- NetBT (NetBIOS over TCP/IP Service)
This misconfiguration set the stage for an unexpected privilege escalation exploit.
The exploit takes advantage of Windows Performance Counters, a mechanism that allows applications and services to register monitoring routines via PerfMon.exe or Windows Management Instrumentation (WMI).
Birke has also published a proof-of-concept (PoC) exploit code on his blog to demonstrate the CVE-2025-21293 vulnerability and its potential impact.
Microsoft has addressed this vulnerability in the January security update released on January 14, 2025. It is highly recommended that all organizations using Active Directory Domain Services apply this update as soon as possible to mitigate the risk.
Related Posts:
- Two Critical Security Vulnerabilities Actively Exploited, CISA Warns
- Microsoft releases January Patch Tuesday to fix 56 security issues
- Microsoft Addresses Critical Zero-Day Vulnerabilities in November Patch Tuesday
- Microsoft December Patch Tuesday: fix 6 zero-day security vulnerabilities
