Active Directory Domain Services Elevation of Privilege Vulnerability

Plan PatchCVSS 8.8CVE-2026-25177Mar 10, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Active Directory Domain Services allows an authorized domain user to escalate privileges through improper restriction of object names. An attacker with standard user credentials can exploit this flaw to gain elevated access over the network without requiring administrative credentials. The vulnerability affects Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and 2025.

What this means

What could happen

An authenticated attacker with standard user credentials could gain elevated privileges in your Active Directory environment, potentially allowing them to modify domain objects, access restricted resources, or compromise domain-joined systems including OT workstations and servers.

Who's at risk

Water utilities and electric utilities managing Windows-based IT and OT infrastructure are affected, particularly those using Windows Server 2016, 2019, 2022, or 2025 as domain controllers, or Windows 10 and 11 on engineering workstations, SCADA client systems, and other domain-joined devices. Any organization relying on Active Directory for authentication and access control to industrial control systems is at risk.

How it could be exploited

An attacker with valid domain user credentials exploits improper naming restrictions in Active Directory Domain Services to craft specially named objects that bypass privilege checks, escalating their access level to administrator or equivalent without requiring administrative credentials initially.

Prerequisites

Valid domain user credentials (standard user or above)
Network access to an Active Directory Domain Controller
The attacker must be able to authenticate to the domain

Remotely exploitableRequires valid credentials but could be leveraged by insider or compromised accountLow complexity attackAffects domain infrastructure securityImpacts authentication for OT systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

Windows 10 Version 22H2 for x64-based SystemsAll versionsBuild 10.0.19045.7058

Windows 10 Version 22H2 for ARM64-based SystemsAll versionsBuild 10.0.19045.7058

Windows 10 Version 1809 for 32-bit SystemsAll versionsBuild 10.0.17763.8511

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8511

Windows Server 2019All versionsBuild 10.0.17763.8511

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGReview and audit recent Active Directory object modifications and privilege escalations in your domain controller logs

HARDENINGRestrict administrative console access to domain controllers to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXPrioritize patching Windows Server 2016, 2019, and 2022 domain controllers first, as they are critical to domain security

All products

HOTFIXApply the March 2026 security update to all Windows servers and workstations in your environment

CVEs (1)

CVE-2026-25177

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/53239e06-01bc-4471-bba8-9214cb8aa0b4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.