CVE-2025-21293

Name of the Vulnerable Software and Affected Versions Active Directory Domain Services (affected versions not specified)

Description A critical elevation-of-privilege vulnerability in Active Directory Domain Services allows attackers to gain SYSTEM-level access. The vulnerability is related to errors in access control. Exploitation of the vulnerability can allow an attacker to elevate their privileges to the system level. The Network Configuration Operators group has the right to create subkeys in the Windows registry for the DnsCache and NetBT services, which allows creating subparameters in the registry of these services. Using this capability, an attacker can register their own performance counters, which ultimately allows executing arbitrary code with system privileges.

Recommendations To protect against this vulnerability, it is recommended to limit the rights of the Network Configuration Operators group and install the corresponding security updates from Microsoft. As a temporary workaround, consider restricting access to the DnsCache and NetBT services in the Windows registry to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.