Researcher Details Windows SMB Server Elevation of Privilege Vulnerability – CVE-2025-58726

A newly disclosed Windows vulnerability, CVE-2025-58726, allows attackers with low privileges to gain SYSTEM-level access remotely by exploiting a flaw in Kerberos authentication reflection. The issue, identified and reported by Andrea Pierini, a researcher at Semperis, affects all Windows versions unless SMB signing is enforced and has been patched by Microsoft in the October 2025 Patch Tuesday.

According to Pierini’s findings, “Kerberos authentication reflection can be abused for remote privilege escalation, even after applying the fix for CVE-2025-33073.” The exploit leverages “Ghost SPNs” (Service Principal Names mapped to hostnames that fail to resolve) to trick Windows into authenticating to itself over SMB and elevate privileges to SYSTEM.

Kerberos has long been considered one of the most secure authentication protocols in enterprise Windows environments, but as Pierini explains, it has a critical blind spot:

“Authentication reflection occurs when an attacker captures an authentication request from a victim (machine or user) and reflects or replays that authentication back to the victim’s own service. The attack tricks the victim into authenticating to itself, enabling the attacker to escalate privileges, even without knowing credentials.”

While NTLM reflection attacks have been mitigated for years, Kerberos lacks a universal reflection-detection mechanism. This makes it possible for a standard domain user to abuse misconfigurations in SPNs and DNS records to hijack authentication tokens and gain elevated access.

At the core of CVE-2025-58726 lies the concept of Ghost SPNs—Service Principal Names that reference hostnames no longer present in DNS. These “ghosts” are common in large or aging Active Directory environments, often resulting from decommissioned systems, typos in deployment scripts, or hybrid setups with unreachable hosts.

“Ghost SPNs introduce an exploitable attack surface that adversaries can leverage,” Pierini noted. “Default Active Directory settings allow standard users to register DNS records, enabling this attack.”

By registering a DNS record that corresponds to a Ghost SPN but resolves to an attacker-controlled IP, a low-privilege user can trick the target system into authenticating back to the attacker’s host. When the attacker relays that authentication back to the target via Kerberos, the machine authenticates as itself—resulting in full SYSTEM-level compromise.

“After the attacker remotely triggers the authentication, the target requests a TGS service ticket for the Ghost SPN. Because that authentication is received as the computer account (which the OS maps to SYSTEM), the attacker can relay the AP-REQ back to the target, ultimately obtaining full administrative privileges,” Pierini wrote.

The attack chain exploiting CVE-2025-58726 requires minimal prerequisites:

• A low-privilege domain user account.
• A domain-joined target with SMB signing disabled.
• A Ghost SPN configured for HOST/… or CIFS/… on the target.
• The ability to register DNS records (enabled by default in Active Directory).

Once these conditions are met, the attacker performs the following sequence:

1. Identifies a Ghost SPN tied to the target machine.
2. Registers a DNS record for that SPN pointing to the attacker’s IP.
3. Uses a Kerberos relay tool, such as Pierini’s open-source KrbRelayEx, to intercept authentication.
4. Triggers authentication using coercion tools like PrinterBug or PetitPotam.
5. Relays the Kerberos ticket back to the target’s SMB service.
6. Gains SYSTEM-level access remotely via SMB.

Pierini’s network capture analysis showed that “a TGS/AP-REQ was requested for SPN CIFS/GHOST,” clearly illustrating how the machine authenticates to itself under the wrong context.

If the targeted host happens to be a Tier 0 asset—for example, an Active Directory Certificate Services (AD CS) or domain controller—this could quickly escalate to full domain compromise.

The attack notably bypasses Microsoft’s earlier patch for CVE-2025-33073, which fixed a related SMB client privilege escalation bug. As Pierini observed:

“The fix for CVE-2025-33073 addressed a specific SMB client issue. However, the Ghost SPN attack method bypasses that fix. The vulnerability lies in Kerberos itself, which fails to prevent authentication reflection.”

This insight demonstrates that the vulnerability exists within the Kerberos protocol handling itself, not merely within SMB, meaning other Kerberos-reliant services—such as RDP, WMI, or RPC/DCOM—could be vulnerable under certain conditions.

Pierini’s reverse engineering of Microsoft’s October 2025 patch revealed that the mitigation resides in the SRV2.SYS driver, which implements server-side SMB logic.

Related Posts:

• PoC Exploit for Windows NTLM Privilege Escalation Flaw (CVE-2023-21746) Published
• WhoFi: New AI-Powered Wi-Fi Biometrics Track Humans Through Walls with 95.5% Accuracy
• Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data
• Zero-Day Alert: Remotely Escalate Privileges to SYSTEM via Kerberos Relay – PoC Available
• Phasing Out NTLM: Windows 11’s Commitment to Kerberos