CVE-2022-26925

What is Windows LSA and NTLM Relay?

The Windows Local Security Authority (LSA) subsystem handles authentication and security policy. An NTLM relay attack occurs when an attacker intercepts an NTLM authentication attempt and relays it to another service to authenticate as the victim. When relayed to Active Directory Certificate Services (AD CS), the domain controller's NTLM authentication can be used to request a certificate on its behalf — enabling full domain compromise. This attack class was widely publicized by tools like PetitPotam (2021) and the SpoolSample technique.

Overview

CVE-2022-26925 is an LSA spoofing vulnerability in Windows where an unauthenticated attacker on the network can coerce a domain controller to initiate an NTLM authentication to an attacker-controlled server. When this authentication is relayed to Active Directory Certificate Services (AD CS), the attacker obtains a certificate for the domain controller's machine account — which can then be used to request a Kerberos TGT and perform a DCSync to extract all domain credentials, resulting in full domain takeover.

Warning: Applying the May 2022 patch to domain controllers without additional configuration changes breaks PIV/CAC smart card authentication. CISA published dedicated guidance on how to apply the patch safely. Read CISA's implementation guidance before deploying to domain controllers.

Affected Versions

Requires AD CS to be deployed in the environment for the most severe impact (domain takeover). NTLM relay to other services is still possible but less impactful.

Technical Details

The LSA spoofing vulnerability (CWE-306: missing authentication for critical function) allows an unauthenticated network attacker to trigger the LSARPC interface on a Windows domain controller, causing it to initiate outbound NTLM authentication to an attacker-specified target.

Attack chain:

1. Attacker calls the LSARPC LsarOpenPolicy (or similar) interface on the DC to trigger NTLM authentication
2. DC sends an NTLM authentication message to attacker's relay server
3. Relay server forwards the NTLM auth to the AD CS HTTP enrollment endpoint
4. AD CS issues a certificate for the DC's machine account
5. Attacker uses the certificate with PKINIT to obtain a Kerberos TGT as the DC
6. TGT used to DCSync — dumping all domain password hashes

• Authentication required: None — the coercion call is unauthenticated
• High complexity: The relay and certificate chain require infrastructure setup
• Related techniques: PetitPotam (MS-EFSRPC), PrinterBug (MS-RPRN), ShadowCoerce (MS-FSRVP)

Discovery

Reported to Microsoft. The vulnerability relates to the same coercion-to-relay class of attack popularized by Antoine Lienart (topotam) via PetitPotam in 2021.

Exploitation Context

Active exploitation confirmed; CISA added to KEV and published specific guidance warning of deployment risks. NTLM relay to AD CS is a complete domain takeover technique with widely available tooling (Impacket ntlmrelayx, PetitPotam.py, certipy). The attack requires no victim user interaction and is effective from any network position with access to the domain controller's RPC port (135/TCP).

Remediation

1. Apply the May 2022 Patch Tuesday updates — but read CISA's specific deployment guidance before applying to domain controllers, as it can break smart card authentication
2. Apply the CISA-recommended registry configuration changes to domain controllers alongside the patch: enforce LDAP channel binding (LdapEnforceChannelBinding=2) and LDAP signing
3. Disable NTLM on domain controllers where possible, or enable EPA (Extended Protection for Authentication) on AD CS HTTP enrollment endpoints
4. Configure AD CS web enrollment to require HTTPS and enable IIS Extended Protection for Authentication
5. Block inbound connections to DC RPC port (135/TCP) from untrusted network segments
6. Disable the NTLM relay attack surface: enforce SPN target name validation and remove HTTP-based AD CS enrollment if not required