Source: Cyber Security News
Author: Guru Baran
URL: https://cybersecuritynews.com/ghost-spns-and-kerberos-reflection-attack/
ONE SENTENCE SUMMARY:
CVE-2025-58726 exploits ghost SPNs and Kerberos reflection for SYSTEM-level access on Windows SMB servers lacking enforced signing.
MAIN POINTS:
- Vulnerability CVE-2025-58726 targets Windows SMB servers using ghost SPNs and Kerberos reflection.
- The flaw affects all Windows versions without enforced SMB signing, impacting default AD configurations.
- Attackers leverage domain users’ DNS rights to hijack ghost SPNs for unauthorized access.
- Kerberos reflection exploits unresolved SPNs, bypassing credential requirements for SYSTEM-level access.
- The attack circumvents prior mitigations like CVE-2025-33073, highlighting Kerberos’ reflection susceptibilities.
- Microsoft targets the srv2.sys driver for patching, focusing on SPN validity and connection source verification.
- Mitigation includes enforcing SMB signing, auditing SPNs, and restricting DNS write access.
- Network traces using Wireshark or ETW can monitor suspicious Kerberos TGS-REQ activities.
- October 14 patch emphasizes Active Directory hygiene to combat ghost SPN issues.
- Successful mitigation involves integrating current and evolving Kerberos abuse defenses.
TAKEAWAYS:
- Enforce SMB signing to prevent privilege escalation vulnerabilities.
- Regularly audit and purge ghost SPNs to improve AD security.
- Monitor for unusual Kerberos activities to detect potential breaches.
- Apply patches promptly to address emerging vulnerabilities.
- Strengthen domain configuration by limiting unnecessary user permissions.