📄 Description (English)
Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally.
🤖 AI Executive Summary
CVE-2026-32072 is a medium-severity authentication bypass vulnerability in Windows Active Directory that enables local spoofing attacks without requiring exploitation tools. While no public exploit exists and patches are unavailable, the vulnerability affects a critical infrastructure component widely deployed across Saudi organizations. Organizations should implement immediate compensating controls and monitor for suspicious authentication patterns.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 22, 2026 22:52
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare organizations, and energy sector (ARAMCO, SEC). Active Directory is foundational to identity management across these sectors. Local spoofing attacks could enable privilege escalation, lateral movement, and unauthorized access to critical systems. Telecom operators (STC, Mobily) managing large AD environments are also at elevated risk. The lack of available patches increases exposure window.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA oversight)
Healthcare
Energy and Oil & Gas (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all Active Directory environments for unauthorized authentication attempts and failed logon events (Event ID 4625, 4771, 4776)
2. Implement enhanced logging on domain controllers (enable Audit Credential Validation, Audit Kerberos Authentication Service)
3. Restrict local administrative access and enforce principle of least privilege
4. Deploy multi-factor authentication (MFA) for all critical accounts and administrative access
5. Segment networks to limit lateral movement from compromised local accounts
COMPENSATING CONTROLS:
6. Enable Windows Defender Credential Guard on domain-joined systems
7. Implement Protected Users security group for sensitive accounts
8. Deploy LAPS (Local Administrator Password Solution) to randomize local admin passwords
9. Monitor for Pass-the-Hash (PtH) attacks using Windows Event Forwarding
10. Configure Kerberos armoring (FAST) to prevent offline attacks
DETECTION:
11. Create alerts for Event ID 4768 (Kerberos TGT requested) with suspicious patterns
12. Monitor for NTLM relay attacks using network-based detection
13. Track authentication failures followed by successful logons from same source
14. Review AD replication traffic for anomalies
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع بيئات Active Directory للتحقق من محاولات المصادقة غير المصرح بها وأحداث فشل تسجيل الدخول (معرف الحدث 4625، 4771، 4776)
2. تطبيق تسجيل محسّن على متحكمات المجال (تفعيل Audit Credential Validation و Audit Kerberos Authentication Service)
3. تقييد الوصول الإداري المحلي وفرض مبدأ الامتيازات الأقل
4. نشر المصادقة متعددة العوامل (MFA) لجميع الحسابات الحرجة والوصول الإداري
5. تقسيم الشبكات لتحديد الحركة الجانبية من الحسابات المحلية المخترقة
الضوابط التعويضية:
6. تفعيل Windows Defender Credential Guard على الأنظمة المنضمة للمجال
7. تطبيق مجموعة Protected Users للحسابات الحساسة
8. نشر LAPS (Local Administrator Password Solution) لتعشوية كلمات مرور المسؤول المحلي
9. مراقبة هجمات Pass-the-Hash باستخدام Windows Event Forwarding
10. تكوين Kerberos armoring (FAST) لمنع الهجمات غير المتصلة
الكشف:
11. إنشاء تنبيهات لمعرف الحدث 4768 (طلب Kerberos TGT) مع أنماط مريبة
12. مراقبة هجمات NTLM relay باستخدام الكشف القائم على الشبكة
13. تتبع فشل المصادقة متبوعة بعمليات تسجيل دخول ناجحة من نفس المصدر
14. مراجعة حركة مرور نسخ AD للكشف عن الشذوذ
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User registration and access rights management
ECC 2024 A.9.4.3 - Password management systems
ECC 2024 A.9.2.5 - Access rights review
ECC 2024 A.8.2.3 - Segregation of duties
🔵 SAMA CSF
ID.AM-1 - Asset management and inventory
PR.AC-1 - Access control policy and processes
PR.AC-4 - Access management for remote connectivity
DE.CM-1 - Detection and analysis of anomalies
🟡 ISO 27001:2022
A.5.15 - Access control
A.5.16 - Authentication
A.8.3 - Cryptography
A.8.22 - Monitoring activities
🟣 PCI DSS v4.0.1
Requirement 2 - Default security parameters
Requirement 7 - Restrict access to data
Requirement 8 - User identification and authentication
🔗 References & Sources 1