CVE-2026-25177

HIGH

Active Directory Domain Services - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25177. PoCs published by XiaomingX, danaug23.

AI-analyzed exploit summary This repository contains a production-safe scanner for detecting exploitation of CVE-2026-25177, an Active Directory SPN Unicode Collision vulnerability. The tool identifies Unicode characters in SPNs, duplicate SPNs, and recent SPN modifications without performing any exploitative actions.

Description

Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

Exploits (2)

github SCANNER 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25177

This repository contains a production-safe scanner for detecting exploitation of CVE-2026-25177, an Active Directory SPN Unicode Collision vulnerability. The tool identifies Unicode characters in SPNs, duplicate SPNs, and recent SPN modifications without performing any exploitative actions.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Controllers (Windows Server 2012-2025)
Auth required
Prerequisites: Authenticated domain user with read permissions · LDAP access to Active Directory
devstral-2 · analyzed Mar 15, 2026 Full analysis →
nomisec SCANNER
by danaug23 · poc
https://github.com/danaug23/detect_CVE-2026-25177

This repository contains a production-safe scanner for detecting exploitation of CVE-2026-25177, an Active Directory SPN Unicode Collision vulnerability. The tool identifies Unicode characters in SPNs, duplicate SPNs, and recent SPN modifications, providing detailed reports without modifying any AD objects.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Controllers (Windows Server 2012 through 2025)
Auth required
Prerequisites: Authenticated domain user with read permissions · Access to LDAP/AD environment
devstral-2 · analyzed Apr 29, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0124
EPSS Percentile 65.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-641
Status published
Products (37)
Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.8957
Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8511
Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7058
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7058
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6783
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6783
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8037
Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8037
Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1719
Microsoft/Windows 11 Version 26H1 10.0.28000.0 - 10.0.28000.1719
... and 27 more
Published Mar 10, 2026
Tracked Since Mar 11, 2026