This article discusses “Unicode Manipulation: CVE-2026-25177 Privilege Escalation in AD”. On March 10, 2026, Microsoft disclosed a new security vulnerability affecting Active Directory Domain Services (AD DS). Please, see How to run Apps as an administrator on Windows, and how to Enable Exploit Protection feature on Windows using the Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy.
The flaw, identified as CVE‑2026‑25177, allows an authenticated attacker to gain privilege escalation over the network, potentially reaching SYSTEM‑level privileges, the highest level in Windows environments.
Microsoft classified the vulnerability as Important, assigning it a CVSS 3.1 score of 8.8, indicating a high-risk issue especially for enterprise environments where Active Directory is the core identity and authentication infrastructure.
Technically, the vulnerability is linked to CWE‑641: Improper Restriction of Names for Files and Other Resources. The issue stems from insufficient validation of names for certain resources inside Active Directory. Specifically, it affects Service Principal Names (SPN) and User Principal Names (UPN), which are critical for Kerberos authentication.
Microsoft explains that an attacker with limited privileges but authorized to modify SPNs on an account can exploit specially crafted Unicode characters to bypass internal controls designed to prevent duplicate name creation in Active Directory.
How to How to use the built-in Azure Active Directory Connect tool, How to check and assign privileges to a MySQL User, and “CVE-2021-22048: VMware vCenter Server updates address a privilege escalation vulnerability“.
Exploit Not Disclosed
Microsoft stated at publication time that the vulnerability had not been publicly disclosed before the patch and that no active exploits are known to exist in the wild.
The issue can allow the creation of duplicate SPNs that bypass standard Active Directory validation checks. The attack works by inserting carefully crafted Unicode characters into an SPN or UPN to generate what appears to be a legitimate duplicate of an existing service name.
When a client requests Kerberos authentication for that service, the Domain Controller may issue a ticket encrypted with the wrong key, causing the target service to reject it.
This behavior can lead to operational issues:
- in some cases, the service may experience a denial of service due to invalid Kerberos tickets;
- in other scenarios, the system may fall back to NTLM authentication, which still exists in many legacy environments and could open the door to additional attack techniques that rely on NTLM.
If you wish to read more, kindly vist the following page. Also, see how to replace Veeam Recovery Orchestrator License, and how to Fix failed to connect to the backup server: Make sure it is online
I hope you found this post on “Unicode Manipulation: CVE-2026-25177 Privilege Escalation in AD” very useful. Please feel free to leave a comment below.
