Active Directory is the backbone of nearly every enterprise Windows environment. When a vulnerability lands that lets a low-privileged domain user escalate straight to SYSTEM on a domain controller, every defender needs to pay attention. CVE-2025-54918 is exactly that class of vulnerability, combining the old but deadly duo of NTLM relay and authentication coercion with a new twist that bypasses even hardened environments.
This post breaks down what the vulnerability is, why LDAP signing and channel binding matter, and what concrete steps defenders can take right now to detect and remediate the misconfiguration before attackers get there first.
If your organization relies on Active Directory and you are not sure whether your domain controllers are properly hardened, Redfox Cybersecurity can help you assess your exposure and prioritize your remediation effort.
CVE-2025-54918 is a critical vulnerability in Windows NT LAN Manager (NTLM) that was disclosed and patched on September 9, 2025. The vulnerability affects Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022, and 2025. It has been assigned a CVSSv3 score of 8.8 and is rated critical by Microsoft. The vulnerability stems from improper authentication in Windows NTLM that allows an authorized attacker to elevate privileges over a network.
Attackers can leverage a coercion attack such as the Printer Bug exploit to initiate an authentication attempt from the domain controller, then modify fields in the authentication packets and relay this authentication to gain elevated privileges. The attack is particularly concerning because it bypasses traditional security controls like channel binding and LDAP signing requirements, making it effective even in environments with standard hardening measures in place.
The attack requires only a low-privileged domain user account, which can often be obtained through means such as password spraying, credential theft, or social engineering attacks.
The exploitation flow follows a structured path. An attacker with a standard domain account uses a coercion primitive (such as the Print Spooler's MS-RPRN interface) to force the domain controller to authenticate outward. That authentication, carrying NTLM credentials, is intercepted and relayed to the LDAP service on the same or another domain controller. The attacker manipulates the NTLM authentication packet fields, stripping the SIGN and SEAL flags while preserving the LOCAL_CALL flag. With SIGN and SEAL removed, channel protections are bypassed. With LOCAL_CALL preserved, the domain controller trusts the authentication completely.
Once SYSTEM-level access is achieved, the attacker gains complete control over the domain controller, enabling them to perform any administrative action including creating new accounts, modifying group memberships, accessing sensitive data, and potentially compromising the entire Active Directory forest.
LDAP signing ensures that every LDAP communication between a client and a domain controller is digitally signed. Without signing enforced, an attacker positioned on the network can intercept, modify, or replay LDAP traffic without detection. Unencrypted LDAP allows attackers to exploit vulnerabilities to gain elevated privileges, which can then be used for man-in-the-middle attacks.
When LDAP signing is set to "None" or left at the default "Negotiate signing" without enforcement, relayed NTLM authentication can be used to perform write operations against Active Directory with no additional barrier.
Channel binding normally prevents authentication relay attacks by cryptographically binding the authentication to the specific network channel. The mechanism uses a Channel Binding Token (CBT) that ties the TLS session to the authentication exchange. When channel binding is enforced, a relayed authentication token cannot be reused on a different TLS connection, because the CBT embedded in it will not match.
The March 2020 update added controls for administrators to harden configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers. Despite years of guidance from Microsoft, a significant number of production environments still run with these controls either absent or only partially configured, which is precisely the gap CVE-2025-54918 exploits.
By default, Windows domain controllers do not enforce LDAP signing, and channel binding is set to "When supported" rather than "Always." This means unsigned LDAP binds are silently accepted, and legacy applications that do not send CBTs are not blocked. Attackers exploiting CVE-2025-54918 know this and deliberately strip the flags that would trigger signing enforcement.
If you are managing a complex domain environment and want an expert review of your LDAP and NTLM configuration, Redfox Cybersecurity offers Active Directory security assessments that surface exactly these kinds of critical misconfigurations before they become incidents.
The first step is understanding what your domain controllers are currently enforcing. Use the following PowerShell command to query the registry value that controls LDAP server signing:
# Check LDAP signing policy on a domain controller
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LDAPServerIntegrity" -ErrorAction SilentlyContinue
# Values:
# 0 = None (unsigned LDAP accepted)
# 1 = Negotiate signing (default, insufficient)
# 2 = Require signing (enforced)
[cta]
# Check LDAP channel binding policy
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LdapEnforceChannelBinding" -ErrorAction SilentlyContinue
# Values:
# 0 = Disabled (no CBT validation)
# 1 = Enabled when supported (partial protection)
# 2 = Always required (full enforcement)
[cta]
Before enforcing these settings, you need to audit which clients and applications are currently making unsigned binds. Enable diagnostic logging on the domain controller:
# Enable LDAP Interface Events logging (level 2 = basic, level 5 = verbose)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" `
-Name "16 LDAP Interface Events" -Value 2
# After enabling, unsigned binds will generate Event ID 2889 in the Directory Service log
# Review them with:
Get-WinEvent -LogName "Directory Service" | Where-Object { $_.Id -eq 2889 }
[cta]
Event ID 2889 identifies the client IP address and the account making unsigned binds. Build a list of all offending clients before moving to enforcement, since flipping the signing requirement without this baseline will break legacy applications.
The following Sigma detection rule targets the NTLM LDAP authentication pattern that is central to CVE-2025-54918 exploitation, specifically looking for empty usernames combined with the LOCAL_CALL flag over LDAP:
title: CVE-2025-54918 NTLM LDAP Authentication Pattern
id: b432-fd12-ck21
description: >
Detects NTLM LDAP auth attempts with empty usernames and LOCAL_CALL flag,
indicative of CVE-2025-54918 relay exploitation.
status: stable
logsource:
product: windows
category: network_connection
detection:
selection:
EventID: 8004
AuthUsername: ""
LOCAL_CALL: "true"
Protocol: "LDAP"
condition: selection
falsepositives:
- None expected in production environments
level: critical
tags:
- attack.privilege_escalation
- attack.lateral_movement
- cve.2025-54918
[cta]
index=windows AND (EventCode=8004 OR EventCode=4624)
| where Username=""
| where NTLMFlags LIKE "%LOCAL_CALL%"
| where TargetService="LDAP" OR TargetPort IN (389, 636)
| table _time, ComputerName, SourceIP, Username, NTLMFlags, TargetPort
| sort -_time
[cta]
SecurityEvent
| where EventID == 4624 or EventID == 8004
| where Account has "" or Account == ""
| where AuthenticationPackageName == "NTLM"
| where AdditionalInfo contains "LOCAL_CALL"
| where TargetPort in (389, 636)
| project TimeGenerated, Computer, Account, IpAddress, AuthenticationPackageName, TargetPort
| order by TimeGenerated desc
[cta]
Detecting CVE-2025-54918 exploitation attempts requires implementing a multi-layered monitoring strategy that focuses on anomalous authentication patterns within Active Directory environments. The sophisticated nature of this vulnerability demands advanced detection techniques that go beyond traditional signature-based approaches.
Microsoft released security updates to address this vulnerability as part of their September 2025 Patch Tuesday release. Organizations are advised to apply the security updates as soon as possible to protect against potential exploitation.
Verify your domain controllers are patched by running:
# Check installed hotfixes on domain controllers
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-120) } |
Select-Object HotFixID, Description, InstalledOn |
Sort-Object InstalledOn -Descending
[cta]
Navigate in the Group Policy Management Console (GPMC) to the Default Domain Controllers Policy and apply the following settings:
Path: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Set "Domain controller: LDAP server signing requirements" to "Require signing".
To apply this programmatically:
# Set LDAP signing to Require (value 2)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LDAPServerIntegrity" -Value 2 -Type DWord
# Force Group Policy update on all DCs (run from management workstation)
Invoke-GPUpdate -Computer "DC01" -Force
Invoke-GPUpdate -Computer "DC02" -Force
[cta]
# Set channel binding to Always Required (value 2)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" `
-Name "LdapEnforceChannelBinding" -Value 2 -Type DWord
# Verify the change
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" |
Select-Object LdapEnforceChannelBinding, LDAPServerIntegrity
[cta]
The Print Spooler service is the primary coercion primitive used to initiate the authentication relay. It has no legitimate business function on a domain controller.
# Stop and disable the Print Spooler service on all domain controllers
$DCs = (Get-ADDomainController -Filter *).Name
foreach ($DC in $DCs) {
Invoke-Command -ComputerName $DC -ScriptBlock {
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Write-Host "$env:COMPUTERNAME: Print Spooler disabled"
}
}
[cta]
Domain controllers should never be initiating outbound SMB or LDAP connections to arbitrary hosts. Use Windows Firewall to restrict this at the host level:
# Block outbound SMB (port 445) from DCs to non-DC hosts
New-NetFirewallRule -DisplayName "Block Outbound SMB from DC" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 445 `
-Action Block `
-Profile Domain
# Block outbound LDAP (port 389) from DCs
New-NetFirewallRule -DisplayName "Block Outbound LDAP from DC" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 389 `
-Action Block `
-Profile Domain
[cta]
Since NTLM relay also leverages SMB coercion paths, SMB signing should be enforced on all domain controllers and ideally across all domain-joined hosts.
Path in GPMC: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Set both "Microsoft network server: Digitally sign communications (always)" and "Microsoft network client: Digitally sign communications (always)" to "Enabled".
# Verify SMB signing on a domain controller
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
[cta]
Remediating NTLM relay attack surfaces involves tuning multiple interdependent controls simultaneously. If you need hands-on support hardening your Active Directory environment, Redfox Cybersecurity's Active Directory and infrastructure security services are designed to walk through exactly this process with your team.
After applying the changes above, validate them before moving on. Use ldp.exe or ldapsearch to attempt an unauthenticated or unsigned bind against a patched domain controller:
# From a Linux host, attempt an anonymous LDAP bind (should fail after hardening)
ldapsearch -x -H ldap://DC01.domain.local -b "DC=domain,DC=local" \
"(objectClass=user)" cn
# Expected result after enforcement: "ldap_bind: Strong(er) authentication required (8)"
[cta]
You can also use ldp.exe on Windows to attempt a simple bind (not using credentials or signing) against port 389. If LDAP signing is correctly enforced, the bind will fail with an error indicating that strong authentication is required. That failure is your success.
Additionally, run PingCastle or Purple Knight against your domain post-remediation to verify that the LDAP signing and channel binding misconfigurations no longer appear as findings.
CVE-2025-54918 is a stark reminder that well-known protocol weaknesses in NTLM and LDAP remain a primary path to domain compromise in 2025. The vulnerability is not theoretical. Microsoft has assessed it as "Exploitation More Likely" in their Exploitability Index, and the attack chain requires nothing more than a standard domain account to execute.
The remediation path is clear: patch your domain controllers, enforce LDAP signing, enforce channel binding, disable Print Spooler on DCs, and block unnecessary outbound authentication traffic. Layer detections on top using the Sigma rules, KQL queries, and Splunk searches provided above so you can identify exploitation attempts if they occur before or during your remediation window.
Active Directory hardening is not a one-time project. It is an ongoing discipline. If you want a systematic, expert-led review of your domain's security posture, Redfox Cybersecurity's security assessment and penetration testing services will identify the gaps that matter most and help your team close them in a structured, prioritized way.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
