New Attack Uses Ghost SPNs and Kerberos Reflection to Escalate Privileges on SMB Servers
Microsoft designated this as CVE-2025-58726, an “SMB Server Elevation of Privilege” flaw impacting all Windows versions absent enforced SMB signing.
According to Semperis, the issue persists in environments with default Active Directory (AD) configurations, underscoring Kerberos’ susceptibility to reflection despite mitigations for related flaws like CVE-2025-33073.
The vulnerability exploits the interplay between unresolved SPNs and permissive DNS registration protocols in Windows domain environments.
Domain users, by default, hold write access to DNS zones, enabling attackers to hijack ghost SPN entries referencing non-resolvable hostnames from legacy systems, deployment errors, or hybrid setups.
This facilitates Kerberos ticket relaying, bypassing credential requirements and granting administrative control, with escalation to domain dominance if Tier 0 assets like AD Certificate Services are compromised.
Kerberos authentication, integral to Windows domains, employs asymmetric tickets for secure service access but lacks inherent reflection safeguards, unlike NTLM’s channel-binding mitigations.
Authentication reflection entails capturing a victim’s Kerberos AP-REQ (Application Request) and replaying it to the victim’s own endpoint, coercing self-authentication.
In CVE-2025-58726, ghost SPNs prefixed with HOST/ or CIFS/ on target computer accounts serve as the pivot point.
Attackers query AD for SPNs via LDAP, identify unresolved ones through nslookup failures, and register a DNS A-record mapping the ghost hostname to their controlled IP, exploiting domain users’ default dnsHost permissions.
Coercion follows using tools like PrinterBug or PetitPotam to trigger the target’s machine account to request a TGS ticket for the ghost SPN.
A relay tool such as KrbRelayEx intercepts the AP-REQ during SMB session setup, extracts the Kerberos token via SSPI, and relays it to the target’s SMB server, enabling arbitrary execution with SYSTEM privileges.
Disclosed to the Microsoft Security Response Center (MSRC) on June 25, 2025, and confirmed as “Important” severity by July 22, CVE-2025-58726 received patches in Microsoft’s October 14 security update.
The remediation targets the srv2.sys driver, governing SMB 2.0+ server logic, integrating validation mechanisms to verify SPN legitimacy against local security contexts and assess source IP addresses to block remote reflection attempts.
Microsoft’s patch addresses the core issue by terminating sessions pre-token impersonation when detecting anomalous connection patterns.
However, residual risks linger for unpatched or multi-protocol setups. Organizations should enforce SMB signing via Group Policy by setting RequireSecuritySignature=1 on clients and servers, audit SPNs with tools like TestComputerSpnDNS to enumerate and purge ghosts using setspn -D commands, and revoke domain users’ DNS write ACLs via dnscmd /config.
Additional protective measures include deploying Kerberos monitoring for anomalous TGS-REQs through ETW or Wireshark filters on port 88, and neutralizing coercion via RPC restrictions such as DisableUnencryptedRpc=1 and service hardening.
The October 14 patch rollout emphasizes proactive AD hygiene, as ghost SPNs proliferate in 70% of audited environments per industry reports.
As attackers refine relay chains, integrating these controls fortifies defenses against evolving Kerberos abuses.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-58726 |
| Vulnerability Type | SMB Server Elevation of Privilege |
| Severity | Important |
| CVSS Score | Not specified |
| Affected Products | Windows SMB servers (all versions without enforced SMB signing) |
| Attack Vector | Network |
| Attack Complexity | Medium |
| Privileges Required | Low (domain user access) |
| User Interaction | None |
| Impact | Remote SYSTEM-level access, potential domain compromise |
| Prerequisites | – Low-privilege domain access – Domain-joined target without SMB signing – Ghost SPN present on target – Default DNS write permissions |
| Disclosure Date | June 25, 2025 |
| Patch Date | October 14, 2025 |
| Exploit Mechanism | Ghost SPN hijacking + Kerberos authentication reflection |
| Mitigation | – Apply October 2025 patch – Enforce SMB signing – Audit and remove ghost SPNs – Restrict DNS write permissions – Deploy RPC restrictions |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post New Attack Uses Ghost SPNs and Kerberos Reflection to Escalate Privileges on SMB Servers appeared first on Cyber Security News.
LANSING, MI (WOWO) Governor Gretchen Whitmer has expanded Michigan’s state of emergency as severe weather…
LANSING, MI (WOWO) Advocates and lawmakers are urging Michigan Governor Gretchen Whitmer to grant clemency…
A proof-of-concept (PoC) exploit has been publicly released for a newly disclosed vulnerability in Microsoft’s…
INDIANAPOLIS, IND. (WOWO) State leaders in Indiana are supporting a major new investment aimed at…
The firing of Arthur T. Demoulas, the now-former Market Basket CEO popularly known as “Artie…
The firing of Arthur T. Demoulas, the now-former Market Basket CEO popularly known as “Artie…
This website uses cookies.