Microsoft has issued a fix for a Windows Local Security Authority spoofing zero-day vulnerability, which could be abused to force domain controller authentication through the Windows NT LAN Manager protocol, BleepingComputer
Threat actors have already been actively exploiting the flaw, tracked as CVE-2022-26925, and may be a new PetitPotam NTLM relay attack vector. While the vulnerability could only be abused in highly complex man-in-the-middle attacks
, it can be leveraged for legitimate authentication request interception and privilege escalation to completely compromise domains.
"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it. [..] This vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates," said Microsoft, which added that the flaw affects all versions of Windows beginning from Windows 7 and Windows Server 2008.