Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained

In January 2025, Microsoft disclosed and patched a critical privilege escalation vulnerability affecting Microsoft’s Active Directory Domain Services (AD DS) as part of Patch Tuesday. Although CVE-2025-21293 was discovered in September 2024, the public release of the proof-of-concept (PoC) exploit has heightened concerns, and adversaries were observed to exploit the vulnerability in the wild. Given the widespread reliance on Active Directory for authentication and authorization in corporate networks, organizations are strongly advised to apply the latest security patches promptly.

In this blog, we explained how the Microsoft AD DS CVE-2025-21293 vulnerability works and how organizations can defend against CVE-2025-21293 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Microsoft AD DS CVE-2025-21293 Vulnerabilities Explained

The Network Configuration Operators group in Active Directory Domain Services (AD DS) is a built-in local group that exists on Windows servers and workstations. It is designed to allow designated users to modify network settings without granting them full administrative privileges. This group enables members to perform network-related administrative tasks, including configuring TCP/IP settings, enabling or disabling network adapters, renewing or releasing DHCP leases, and modifying DNS settings.  By default, the group does not have any members, meaning administrators must manually add users if they require these permissions.

In September 2024, security researchers found out that the Network Configuration Operators group’s “CreateSubKey” attribute could be exploitable and reported the vulnerability to Microsoft [1]. CVE-2025-21293 is a privilege escalation vulnerability in Active Directory Domain Services (AD DS) that exploits the Network Configuration Operators group’s permissions. The flaw allows members of this group to modify registry keys related to system services like DnsCache and NetBT, which can be leveraged to execute code as NT\SYSTEM by abusing Performance Counters. Attackers can register a malicious DLL that Windows executes with SYSTEM privileges, granting full control. The vulnerability has a CVSS score of 8.8 (High) [2]. 

CVE-2025-21293 vulnerability affects the products below, and organizations are advised to patch their vulnerable Microsoft products without delay.

How Microsoft AD DS CVE-2025-21293  Exploit Works?

The root cause of CVE-2025-21293 is the misconfigured registry permissions for the Network Configuration Operators group. This group has the CreateSubKey attribute for DnsCache and NetBT service and this attribute allows users in the group to create subkeys to existing registry keys. Using the CreateSubKey attribute, security researchers were able to register the following four registry subkeys related to performance monitoring.

• Library subkey specifies the DLL used for performance monitoring.

• Open / Collect / Close subkeys define function names for handling performance data.

After creating the subkeys, security researchers introduced a malicious DLL to the target system. By querying the Performance Counters with WMI, the researchers were able to load performance counter libraries, including the malicious DLL. Since the WMI queries performance counters with elevated privileges, it executes the malicious DLL with SYSTEM privileges, escalating the attacker’s access.

How Picus Helps Simulate Microsoft AD DS CVE-2025-21293 Attacks?

We also strongly suggest simulating the Microsoft AD DS CVE-2025-21293 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Microsoft AD DS CVE-2025-21293 vulnerability exploitation attacks:

References

[1] “Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293),” A tale of mediocracy, Jan. 10, 2025. Available: https://birkep.github.io/posts/Windows-LPE/

[2] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21293