Vulnerabilities ›

CVE-2026-25177

High

Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

CWE-641 — Weakness Type

                    Published: Mar 10, 2026                      ·  Modified: Mar 17, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

🤖 AI Executive Summary

CVE-2026-25177 is a privilege escalation vulnerability in Active Directory Domain Services affecting multiple Windows 10 versions. An authorized attacker can exploit improper file/resource naming restrictions to elevate privileges across the network. With a CVSS score of 8.8 and no public exploit currently available, this poses a significant risk to organizations relying on Active Directory for identity and access management.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 20:50

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses critical risk to Saudi government agencies (NCA, GOSI), banking sector (SAMA-regulated institutions, major banks), healthcare organizations (MOH), energy sector (ARAMCO, SEC), and telecommunications (STC, Mobily). Organizations using Active Directory for centralized identity management face elevated privilege escalation risks. Government entities managing citizen data and financial institutions processing transactions are particularly vulnerable. The attack requires authorized network access, making insider threats and compromised accounts significant concerns.

🏢 Affected Saudi Sectors

Government & Public Administration Banking & Financial Services Healthcare Energy & Utilities Telecommunications Education Insurance

🎯 MITRE ATT&CK Techniques

T1078 — Valid Accounts (authorized attacker exploitation) T1548 — Abuse Elevation Control Mechanism (privilege escalation) T1098 — Account Manipulation (AD object modification) T1087 — Account Discovery (AD enumeration) T1021 — Remote Service Session Initiation (lateral movement post-escalation) T1136 — Create Account (unauthorized AD account creation via naming bypass)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Prioritize patching Windows 10 versions 1607, 1809, 21H2, and 22H2 across all domain-joined systems

2. Audit Active Directory for suspicious privilege escalation attempts and unauthorized account modifications

3. Review and restrict file/resource naming policies in AD to prevent exploitation vectors

4. Monitor for lateral movement and privilege escalation indicators



PATCHING GUIDANCE:

1. Deploy Microsoft security updates immediately through WSUS or Windows Update

2. Test patches in non-production environments first

3. Prioritize domain controllers and administrative workstations

4. Implement phased rollout to minimize business disruption



COMPENSATING CONTROLS (if patching delayed):

1. Implement strict AD object naming conventions and validation rules

2. Enable Advanced Audit Policy for AD changes (Audit Directory Service Changes)

3. Restrict file/resource creation permissions to authorized administrators only

4. Deploy MFA for all privileged accounts

5. Implement Just-In-Time (JIT) privilege access management



DETECTION RULES:

1. Monitor Event ID 4662 (Object Access) for suspicious AD modifications

2. Alert on Event ID 4720 (User Account Created) with unusual naming patterns

3. Track Event ID 4738 (User Account Changed) for privilege escalation attempts

4. Monitor file system access logs for unauthorized resource creation

5. Implement SIEM rules for lateral movement post-privilege escalation

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. أولويات تطبيق التحديثات على إصدارات Windows 10 (1607، 1809، 21H2، 22H2) على جميع الأنظمة المتصلة بالمجال

2. تدقيق Active Directory للبحث عن محاولات رفع الامتيازات المريبة والتعديلات غير المصرح بها على الحسابات

3. مراجعة وتقييد سياسات تسمية الملفات والموارد في AD لمنع متجهات الاستغلال

4. مراقبة مؤشرات الحركة الجانبية ورفع الامتيازات

إرشادات التصحيح:

1. نشر تحديثات الأمان من Microsoft فوراً عبر WSUS أو Windows Update

2. اختبار التحديثات في بيئات غير الإنتاج أولاً

3. إعطاء الأولوية لمتحكمات المجال ومحطات العمل الإدارية

4. تنفيذ نشر مرحلي لتقليل انقطاع الأعمال

الضوابط البديلة (إذا تأخر التصحيح):

1. تنفيذ اتفاقيات تسمية صارمة لكائنات AD وقواعد التحقق

2. تفعيل سياسة التدقيق المتقدمة لتغييرات AD

3. تقييد أذونات إنشاء الملفات والموارد للمسؤولين المصرح لهم فقط

4. نشر المصادقة متعددة العوامل لجميع الحسابات المميزة

5. تنفيذ إدارة الوصول بالامتيازات في الوقت المناسب

قواعد الكشف:

1. مراقبة معرف الحدث 4662 للتعديلات المريبة على AD

2. التنبيه على معرف الحدث 4720 لأنماط التسمية غير العادية

3. تتبع معرف الحدث 4738 لمحاولات رفع الامتيازات

4. مراقبة سجلات الوصول إلى نظام الملفات للإنشاء غير المصرح به

5. تنفيذ قواعد SIEM للحركة الجانبية بعد رفع الامتيازات

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 - 5.1.1 Access Control Policy ECC 2024 - 5.2.1 User Registration and De-registration ECC 2024 - 5.3.1 Privileged Access Rights ECC 2024 - 8.2.1 Information Security Event Logging ECC 2024 - 8.3.1 Administrator and Operator Logs

🔵 SAMA CSF

SAMA CSF - Governance & Risk Management (GRM-01: Risk Assessment) SAMA CSF - Information Security (IS-02: Access Control) SAMA CSF - Information Security (IS-03: Cryptography) SAMA CSF - Operational Resilience (OR-02: Incident Management) SAMA CSF - Operational Resilience (OR-03: Logging and Monitoring)

🟡 ISO 27001:2022

ISO 27001:2022 - A.5.2 Information security policies ISO 27001:2022 - A.8.2 Privileged access rights ISO 27001:2022 - A.8.3 Information access restriction ISO 27001:2022 - A.8.4 Access to source code ISO 27001:2022 - A.12.4 Logging

🟣 PCI DSS v4.0

PCI DSS 4.0 - Requirement 2: Apply secure configurations PCI DSS 4.0 - Requirement 7: Restrict access to cardholder data PCI DSS 4.0 - Requirement 8: Identify and authenticate access PCI DSS 4.0 - Requirement 10: Log and monitor access

🔗 References & Sources 1

🔗

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25177

secure@microsoft.com

Vendor Advisory

📦 Affected Products / CPE 25 entries

microsoft:windows_10_1607

microsoft:windows_10_1809

microsoft:windows_10_21h2

microsoft:windows_10_22h2

microsoft:windows_11_23h2

microsoft:windows_11_24h2

microsoft:windows_11_25h2

microsoft:windows_11_26h1

microsoft:windows_server_2012:-

microsoft:windows_server_2012:r2

microsoft:windows_server_2016

microsoft:windows_server_2019

microsoft:windows_server_2022

microsoft:windows_server_2022_23h2

microsoft:windows_server_2025

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-641

Exploit No

Patch ✓ Yes

Published 2026-03-10

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-641

🏢 Vendor Advisories

🔗 https://msrc.microsoft.com/update-guide/vulnerabilit...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-25177

Introduce Yourself

Sign In Required