CVE-2026-25177

High

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25177 is a high-severity Improper Restriction of Names for Files and Other Resources (CWE-641) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely identification, reporting, and remediation of software flaws like improper resource name restrictions in Active Directory Domain Services.

SI-10 Information Input Validation good match

prevent

Mandates information input validation at entry points, directly countering the improper restriction of names for files and resources that enables privilege escalation.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit low-privileged domain users' ability to exploit the naming vulnerability for escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability description explicitly states that an authenticated domain user can remotely exploit improper resource name restrictions in Active Directory Domain Services to achieve privilege escalation (CVSS impacts on C/I/A), which directly maps to the definition and use of T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2026-25177 is a vulnerability in Active Directory Domain Services stemming from improper restriction of names for files and other resources, classified under CWE-641. It affects Microsoft Active Directory Domain Services, enabling an authorized attacker to elevate privileges over a network. The issue received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

An attacker with low privileges, such as an authenticated domain user, can exploit this vulnerability remotely without user interaction. Successful exploitation allows privilege escalation, potentially granting higher-level access within the Active Directory environment and compromising the domain's security.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25177 provides details on mitigation strategies and available patches for addressing the vulnerability. Security practitioners should review the update guide promptly to apply relevant fixes.

Details

CWE(s): CWE-641

Affected Products

microsoft

windows 10 1607

≤ 10.0.14393.8957 · ≤ 10.0.14393.8957

microsoft

windows 10 1809

≤ 10.0.17763.8511 · ≤ 10.0.17763.8511

microsoft

windows 10 21h2

≤ 10.0.19044.7058 · ≤ 10.0.19044.7058 · ≤ 10.0.19044.7058

microsoft

windows 10 22h2

≤ 10.0.19045.7058 · ≤ 10.0.19045.7058 · ≤ 10.0.19045.7058

microsoft

windows 11 23h2

≤ 10.0.22631.6783 · ≤ 10.0.22631.6783

microsoft

windows 11 24h2

≤ 10.0.26100.7979 · ≤ 10.0.26100.7979

microsoft

windows 11 25h2

≤ 10.0.26200.7979 · ≤ 10.0.26200.7979

microsoft

windows 11 26h1

≤ 10.0.28000.1719 · ≤ 10.0.28000.1719

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.8957

+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-27916Same product: Microsoft Windows 10 1607

CVE-2026-32077Same product: Microsoft Windows 10 1607

CVE-2026-26168Same product: Microsoft Windows 10 1607

CVE-2026-24294Same product: Microsoft Windows 10 1607

CVE-2026-27914Same product: Microsoft Windows 10 1607

CVE-2026-27909Same product: Microsoft Windows 10 1607

CVE-2026-27915Same product: Microsoft Windows 10 1607

CVE-2026-27923Same product: Microsoft Windows 10 1607

CVE-2026-27919Same product: Microsoft Windows 10 1607

CVE-2026-26128Same product: Microsoft Windows 10 1607

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25177
Vendor Advisory · secure@microsoft.com