CVE-2025-53778

High

Published: 12 August 2025

Published

12 August 2025

Modified

17 October 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0100 77.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53778 is a high-severity Improper Authentication (CWE-287) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of system flaws like the NTLM improper authentication vulnerability through vendor patches and updates.

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings to disable or restrict use of the vulnerable NTLM protocol, aligning with provided mitigation scripts.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates robust identification and authentication for organizational users over networks, directly countering the improper authentication in Windows NTLM.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Improper auth bypass in NTLM directly enables remote privilege escalation from low to high privileges on Windows systems.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2025-53778 is an improper authentication vulnerability in the Windows NTLM authentication protocol, published on 2025-08-12. It affects Windows systems utilizing NTLM for network authentication and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-287 (Improper Authentication). The flaw enables an authorized attacker to bypass authentication mechanisms and escalate privileges remotely over a network.

An attacker with low-level privileges (PR:L) on a network-connected system can exploit this vulnerability without user interaction or high complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, specifically allowing privilege escalation from an authorized but limited account to higher privileges, potentially leading to full system compromise.

Microsoft's Security Response Center (MSRC) provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53778 detailing remediation steps. Vicarius offers community resources including a detection script (https://www.vicarius.io/vsociety/posts/cve-2025-53778-detection-script-improper-authentication-vulnerability-affecting-windows-ntlm) and a mitigation script (https://www.vicarius.io/vsociety/posts/cve-2025-53778-mitigation-script-improper-authentication-vulnerability-affecting-windows-ntlm) to identify and address the NTLM authentication weakness in affected Windows environments.

Details

CWE(s): CWE-287

Affected Products

microsoft

windows 10 1507

≤ 10.0.10240.21100 · ≤ 10.0.10240.21100

microsoft

windows 10 1607

≤ 10.0.14393.8330 · ≤ 10.0.14393.8330

microsoft

windows 10 1809

≤ 10.0.17763.7678 · ≤ 10.0.17763.7678

microsoft

windows 10 21h2

≤ 10.0.19044.6216

microsoft

windows 10 22h2

≤ 10.0.19045.6216

microsoft

windows 11 22h2

≤ 10.0.22621.5768

microsoft

windows 11 23h2

≤ 10.0.22631.5768

microsoft

windows 11 24h2

≤ 10.0.26100.4851

microsoft

windows server 2008

all versions, r2

microsoft

windows server 2012

all versions, r2

+5 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-54918Same product: Microsoft Windows 10 1507

CVE-2026-24294Same product: Microsoft Windows 10 1607

CVE-2026-26128Same product: Microsoft Windows 10 1607

CVE-2025-21359Same product: Microsoft Windows 10 1507

CVE-2025-24072Same product: Microsoft Windows 10 1507

CVE-2025-21419Same product: Microsoft Windows 10 1507

CVE-2025-21287Same product: Microsoft Windows 10 1507

CVE-2025-55234Same product: Microsoft Windows 10 1507

CVE-2025-21373Same product: Microsoft Windows 10 1507

CVE-2025-21375Same product: Microsoft Windows 10 1507

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53778
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2025-53778-detection-script-improper-authentication-vulnerability-affecting-windows-ntlm
af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-53778-mitigation-script-improper-authentication-vulnerability-affecting-windows-ntlm
af854a3a-2127-422b-91ae-364da2661108