← Back to Home

AD Security News

Latest developments in Active Directory security — Microsoft patches, new attack research, tool releases, and vulnerability disclosures.

2026
March 2026 Vulnerability Patch Tuesday

CVE-2026-25177 — AD DS Privilege Escalation via Unicode SPN/UPN Manipulation (CVSS 8.8)

Microsoft's March 2026 Patch Tuesday fixed a high-severity Active Directory Domain Services vulnerability. Attackers with low privileges can craft Unicode characters in Service Principal Names (SPNs) or User Principal Names (UPNs) that bypass AD's duplicate-name validation. This can cause Kerberos to issue tickets encrypted with the wrong key, force authentication fallback to NTLM, and ultimately escalate to SYSTEM privileges. Network-reachable, low complexity, no user interaction required. Microsoft rates exploitation as "less likely" and it is not currently in the CISA KEV catalog, but the attack surface is broad — patch your domain controllers ASAP.

Microsoft Security Response Center →
February 2026 Hardening Deprecation

Microsoft Announces 3-Phase Plan to Kill NTLM — Kerberos Migration Roadmap is Official

Microsoft has formally laid out a three-phase roadmap to deprecate NTLM across Windows. Phase 1 (available now) introduces enhanced NTLM auditing to identify where NTLM is still in use. Phase 2 (expected H2 2026) tackles common migration blockers with IAKerb and a local Key Distribution Center (KDC). Phase 3 will disable NTLM by default in the next Windows Server and client releases, requiring explicit re-enablement via policy. Worth noting: Windows Server 2025 and Windows 11 24H2 already kill NTLMv1, which is a real win. NTLMv2 is a different story entirely — it's deeply embedded in enterprise environments with far more dependencies, and actually removing it will be significantly harder. Phase 3 hinges on the "next major release," which for most orgs means a 5-10 year adoption horizon at best. The auditing in Phase 1 is genuinely useful, but don't hold your breath on NTLM disappearing anytime soon.

Microsoft Windows IT Pro Blog →
January 2026 Hardening Tool

January Patch Tuesday Breaks Shadow Credentials — Tooling Already Updated

Microsoft's January 2026 cumulative update (KB5073723 for Server 2019, KB5073379 for Server 2025) introduced changes that broke Shadow Credentials attacks. The security community quickly diffed the patch and identified the changes. RedTeamPentesting has already updated their keycred tool (v1.2.1) to work with the new requirements.

@RedTeamPT on X →