PoC Exploit Released for Active Directory Domain Services Privilege Escalation Vulnerability

A proof-of-concept (PoC) exploit code has been released for CVE-2025-21293, a critical Active Directory Domain Services Elevation of Privilege vulnerability.

This vulnerability, discovered in September 2024 and patched in January 2025, has raised concerns due to its potential to allow attackers to gain system-level privileges within an Active Directory environment.

The vulnerability was identified during an investigation into the “Network Configuration Operators” group, a little-known built-in security group in Active Directory.

This group, intended to grant limited network configuration privileges to users without full administrative rights, was found to have excessive permissions over sensitive registry keys. Specifically, it allowed the creation of subkeys under the DnsCache and NetBT registry keys.

The key issue lies in the combination of these permissions with the ability to manipulate Windows Performance Counters. Windows use Performance Counters to monitor system and application performance, but they also provide a mechanism for executing custom code via DLLs, researcher BirkeP added.

By exploiting the permissions of the “Network Configuration Operators” group, an attacker could register malicious Performance Counter DLLs under the DnsCache service registry key. Once registered, these DLLs could be executed with SYSTEM-level privileges when queried by tools like PerfMon.exe or WMI.

Weaponization of Performance Counters

The exploit leverages Windows’ ability to load and execute custom DLLs as part of its Performance Counter infrastructure. The attacker registers four specific registry subkeys—Library, Open, Collect, and Close—pointing to their malicious DLL.

When the Performance Counter is accessed, such as through WMI queries or monitoring tools, the malicious code is executed in the context of SYSTEM, effectively elevating privileges.

This approach builds on prior research into exploiting Performance Counters but applies it uniquely within the context of Active Directory’s default security groups.

CVE-2025-21293 has been assigned a CVSS score of 8.8, reflecting its high severity. Successful exploitation allows attackers with low privileges to escalate their access to SYSTEM-level control over affected systems. This could enable unauthorized access to sensitive data or facilitate lateral movement within a network.

The PoC exploit demonstrates how an attacker can achieve this escalation by carefully crafting registry entries and deploying a malicious DLL. The exploit does not require user interaction, making it particularly dangerous in environments where Active Directory is widely deployed.

Microsoft addressed this vulnerability in its January 2025 Patch Tuesday updates. The patch modifies the permissions of the “Network Configuration Operators” group, removing its ability to create subkeys under critical registry keys. Organizations are strongly advised to apply this update immediately to mitigate potential risks.

For systems that cannot be patched promptly, administrators should consider restricting membership in the “Network Configuration Operators” group and monitoring for unusual registry modifications or Performance Counter activity.

The release of a PoC exploit for CVE-2025-21293 underscores the importance of proactive security measures and timely patching in enterprise environments. This vulnerability highlights how seemingly minor misconfigurations in default security groups can lead to severe consequences when combined with other system features.

As organizations continue to rely on Active Directory for identity management, understanding and addressing such vulnerabilities is crucial. Security teams should remain vigilant, applying patches promptly and monitoring for indicators of compromise related to this exploit.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.

The post PoC Exploit Released for Active Directory Domain Services Privilege Escalation Vulnerability appeared first on Cyber Security News.