CVE-2025-26685: Microsoft Defender for Identity Spoofing Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Publicly Disclosed

Yes

Patch Tuesday

2025-May

Released

2025-05-13

EPSS Score

1.25% (percentile: 79.4%)

Description

Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network.

FAQ

What actions do I need to take to be protected from this vulnerability? No admin action is required. Customers that have NTLM completely disabled in their environment and would like to keep the feature working, should open a support case requesting to reenable the feature. For more information, please see this article: https://learn.microsoft.com/en-us/defender-for-identity/deploy/remote-calls-sam According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability? An unauthenticated attacker with LAN access could exploit this vulnerability.

Affected Products (1)

System Center

• Microsoft Defender for Identity

Acknowledgments

<a href="https://linkedin.com/in/joshua-murrell-io">Joshua Murrell</a> with <a href="https://www.netspi.com/">NetSPI</a>

Revision History

• 2025-05-13: Information published.