Active Exploitation of Windows LSA Spoofing Vulnerability

Published on 06 Jul 2022

Updated on 06 Jul 2022

There have been reports of active exploitation of a Windows Local Security Authority (LSA) spoofing vulnerability (CVE-2022-26925) that is confirmed to be a new PetitPotam Windows NT LAN Manager (NTLM) Relay attack vector.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to call a method on the Local Security Authority Remote Procedure Call (LSARPC) interface and coerce the domain controller to authenticate the attacker using NTLM, allowing the attacker to possibly take over the entire Windows domain.

Users and administrators are advised to apply the relevant security update, which will help to detect anonymous connection attempts in LSARPC and disallow them. Users and administrators are also advised to conduct any necessary testing to ensure that the application of the update will not cause any service authentication problems within their environment.