From Domain User to SYSTEM: Analyzing the NTLM LDAP Authentication Bypass Vulnerability (CVE-2025-54918)

Source: CrowdStrike Blog

Author: Tom Kahana

URL: https://www.crowdstrike.com/en-us/blog/analyzing-ntlm-ldap-authentication-bypass-vulnerability/

ONE SENTENCE SUMMARY:

A vulnerability (CVE-2025-54918) enables attackers to escalate privileges in Active Directory environments, mitigated by CrowdStrike Falcon solutions.

MAIN POINTS:

1. CVE-2025-54918 affects Domain Controllers using LDAP or LDAPS services.
2. Attackers can elevate privileges from a domain user to SYSTEM level.
3. Entire Active Directory environments could be compromised.
4. Exploit uses NTLM relay and coerced authentication techniques.
5. NTLM relay captures and relays user authentication to another server.
6. Session signing is a critical mitigation against NTLM relay attacks.
7. Attackers cannot retrieve the session key needed for signed sessions.
8. Mitigations include requiring server signing for secure sessions.
9. CrowdStrike Falcon® solutions help protect against this vulnerability.
10. Unified CrowdStrike Falcon® platform provides comprehensive security tools.

TAKEAWAYS:

1. CVE-2025-54918 is a significant security threat to Active Directory.
2. Effective mitigations focus on session signing.
3. NTLM relay remains a prevalent attack technique.
4. CrowdStrike Falcon® offers solutions for vulnerability management.
5. Unified security platforms enhance protection for enterprise environments.