CVE-2022-26925 is a weakness in the central component of Windows security (the “ Local Security Authority” process within windows) that when exploited allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication.

For an attacker to take advantage of this vulnerability, they must already have access to the logical network path between the client and the resource to perform a man-in-the middle attack.

This bug affects all supported versions of Windows, but especially Domain Controllers (DC). DC should be patched on a priority basis before updating other Servers. Special effort should be made to prioritize the remediation of this vulnerability on devices that are both DC and vulnerable to NTLM Relay Attacks.

CERTVU strongly recommends the following actions:

1. Install latest patches from Microsoft
2. If the “Active Directory Certificate Services” role and associate services (i.e. “Certificate Authority Web Enrollment” OR “Certificate Enrollment Web Service”) are installed but not used, uninstall the roles.