Service announcement: Microsoft released a number of patches earlier this week, including a patch for a zero-day exploit being tracked as ‘CVE-2022-26925: Windows Local Security Authority (LSA) Spoofing Vulnerability’. This is a new type of NTLM Relay attack using a flaw in LSARPC.

Unverified attackers can call a method on the LSARPC interface to push the domain controller to authenticate the attacking account using NTLM. The patch released by Microsoft detects any anonymous attempts in LSARPC and disallows them.

The potential threat from this is actors intercepting large authentication requests and using them to elevate privileges up to the identity of domain controller.

 Affected Windows versions 

  • Windows Server 2008 – Windows Server 2022 (all versions)
  • Windows 7 – Windows 10 (all versions)

What is the exploit? 

NTLM (NT Lan Manager) relay attacks are an attack method where an actor with access to a network sends an authentication request, intercepts the authentication attempt, and relays it to gain unauthorised access to resources.

As the exploit is currently confidential, there is no proof of concept known or readily available. The information detailed above is the only information currently known about the attack, however we are tracking the live situation and will share updates if they become available.

Patches and workarounds

Microsoft has released a complete list of fixed versions and produced a list of downloadable links to patches to install.

Microsoft has also stated that the priority is to patch domain controllers with security updates first, as these are most at risk.

Based on the severity of the event and the probability of the event occurring, we strongly recommend patching all Windows devices as soon as possible, starting with domain controllers as advised by Microsoft.

The vulnerability itself has been seen in the wild and is easily exploitable.

This is an ongoing event, and we are continuing to track developments. If you have any questions or require support, please contact our IT service desk on 01904 562207 or email [email protected].