A newly discovered vulnerability, CVE-2025-21299, allows an attacker to bypass Credential Guard in Windows by exploiting improper validation in Kerberos TGTs. The issue was partially mitigated in the January 2025 Patch Tuesday but was completely addressed in April 2025 with the release of CVE-2025-29809. This vulnerability could potentially lead to unauthorized access to primary credentials. Affected: Windows platforms, Credential Guard
Keypoints :
- Two vulnerabilities (CVE-2025-21299 and CVE-2025-29809) affect Windows Credential Guard.
- CVE-2025-21299 involves a Kerberos TGT credential bypass due to insufficient validation.
- Credential Guard utilizes Virtualization Based Security to protect primary credentials.
- Canonicalization is crucial to the Kerberos process involving principal names.
- The patch for CVE-2025-21299 was ineffective as it did not account for LDAP character escaping.
- CVE-2025-29809 was released in April 2025 to fully resolve the bypass issue.
MITRE Techniques :
- T1558.001 – Credentials from Password Stores: Extracting Kerberos TGTs using improperly validated canonicalization methods.
- T1075.001 – Server Message Block (SMB): Utilizing service ticket exploitation via structured service names.
Indicator of Compromise :
- [Domain] ec.lab
- [Domain] ethicalchaos.dev
- [Domain] target.com
- [Domain] users,dc=ec,dc=lab
- [Domain] users,dc=ethicalchaos,dc=dev
Views: 54