CVE-2025-53779

HIGH

Windows Kerberos - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-53779. PoCs published by b5null, Musa-xvi, wnaspy.

AI-analyzed exploit summary This PowerShell script exploits CVE-2025-53779 by enumerating Active Directory ACLs to identify OUs where a user has CreateChild rights, enabling privilege escalation via child object creation. It includes functions to filter default SIDs and admin groups, focusing on non-standard permissions.

Description

Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network.

Exploits (3)

nomisec WORKING POC 44 stars

by b5null · poc

https://github.com/b5null/Invoke-BadSuccessor.ps1

View Code ZIP pw:eip

This PowerShell script exploits CVE-2025-53779 by enumerating Active Directory ACLs to identify OUs where a user has CreateChild rights, enabling privilege escalation via child object creation. It includes functions to filter default SIDs and admin groups, focusing on non-standard permissions.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Active Directory (specific version not specified)

Auth required

Prerequisites: Active Directory environment · RSAT ActiveDirectory module · Valid user credentials with some AD permissions

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github STUB

by Musa-xvi · poc

https://github.com/Musa-xvi/Active-Directory-BadSuccessor

View Code ZIP pw:eip

The repository contains only a minimal README with no technical details or exploit code. It references a TryHackMe room but provides no actionable information about CVE-2025-53779.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Active Directory (version unspecified)

No auth needed

Prerequisites: none specified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 05, 2026 Full analysis →

github SCANNER

by wnaspy · powershellpoc

https://github.com/wnaspy/CVE-POC-WEAPON/tree/main/CVE-2025-53779.ps1

View Code ZIP pw:eip

The repository contains a PowerShell script designed to scan Active Directory for misconfigured ACLs, specifically identifying OUs where a user or their groups have CreateChild rights. It does not exploit CVE-2025-53779 but provides detection capabilities for potential privilege escalation paths.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Active Directory (version not specified)

Auth required

Prerequisites: Active Directory environment · RSAT ActiveDirectory module · Valid AD credentials

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Mar 09, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779

Scores

CVSS v3 7.2

EPSS 0.0259

EPSS Percentile 83.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-23

Status published

Products (1)

microsoft/windows_server_2025 < 10.0.26100.4851

Published Aug 12, 2025

Tracked Since Feb 18, 2026