Windows Server 2025 Archives

Winsage

May 29, 2025

Securing Windows Endpoints in 2025 Enterprise Environments

In 2025, 61% of organizations worldwide have adopted Zero Trust initiatives, up from 24% in 2021. Microsoft's Zero Trust framework centralizes security policy enforcement through the cloud, with integrated solutions like Microsoft Defender for Endpoint. AI is now a critical component of endpoint security, enabling systems to detect irregularities and autonomously isolate compromised devices. Microsoft introduced Quick Machine Recovery (QMR) to allow IT administrators to fix unbootable PCs remotely. Windows Server 2025 features enhanced security measures, including advanced algorithms and a customized security baseline with over 350 preconfigured settings. Additionally, 75% of organizations are consolidating security vendors, favoring comprehensive platforms like SentinelOne Singularity and Microsoft Defender XDR. Windows Defender Application Control (WDAC) has been enhanced to better regulate application usage, with Microsoft promoting its adoption over AppLocker.

Winsage

May 26, 2025

Windows 11 gets quantum-hardened cryptography technology

Microsoft has integrated post-quantum cryptography (PQC) into Windows 11, starting with the Canary build 27852, to protect against quantum computer threats. The upgrade to SymCrypt, Microsoft's cryptographic library, now supports two PQC algorithms: ML-KEM and ML-DSA. This enhancement aims to improve security, performance, and compatibility across platforms. PQC is also being adopted in industry standards such as TLS, SSH, and IPSec. SymCrypt underpins various Microsoft services and operating systems, including Microsoft 365, Azure, and Windows 11. Microsoft is preparing its ecosystem for future quantum attacks, with PQC currently trialed in Windows 11 and expected to reach Linux soon. There are no specific timelines for updates to BitLocker. Recent research demonstrated a D-Wave quantum computer's ability to crack military-grade encryption, highlighting the increasing threat of quantum computing to classical cryptography.

Winsage

May 23, 2025

Unpatched Windows Server vulnerability allows full domain compromise

A newly discovered privilege escalation vulnerability in Windows Server 2025, known as the “BadSuccessor” attack, allows attackers to compromise any user within Active Directory (AD), including those with Domain Admin privileges. This vulnerability stems from the delegated Managed Service Account (dMSA) feature, which can be exploited by creating a new dMSA linked to any user or computer account without requiring direct access to the original account. Researchers found that 91% of examined environments had users outside the Domain Admin group with the necessary permissions to execute this attack. Microsoft has been notified and is working on a patch, while organizations are advised to restrict dMSA creation to trusted administrators and enhance their security measures.

Winsage

May 22, 2025

Windows Server Flaw a Shortcut to Privilege Escalation

An unpatched vulnerability in Windows Server 2025, identified by Akamai researchers, is associated with a method called "BadSuccessor." This flaw, considered "trivial" to exploit and present in the default configuration, allows for privilege escalation and potential full domain compromise. The vulnerability arises from delegated managed service accounts (dMSA), which were intended to enhance security during the migration of legacy service accounts. However, dMSAs can inherit permissions from legacy accounts, enabling attackers to simulate a migration and gain access to the permissions and encryption keys of those accounts without verification. The attack requires prior permissions within an Active Directory organizational unit, indicating a previous breach. Akamai reported the vulnerability to Microsoft on April 1, but Microsoft classified its severity as "moderate." Akamai recommends organizations restrict the creation of dMSAs to mitigate risks associated with this vulnerability.

Winsage

May 21, 2025

New Windows Server 2025 Attack Compromises Any Active Directory User

A significant security flaw, named BadSuccessor, has been discovered in Windows Server 2025, posing a serious risk to Active Directory users. This privilege escalation vulnerability allows attackers to compromise any user in Active Directory and is alarmingly easy to exploit, requiring only basic permissions on any organizational unit. Currently, no patch is available for this vulnerability. In 91% of environments examined, users outside the domain admins group had the necessary permissions to execute the attack. The exploit leverages the delegated Managed Service Account (dMSA) feature, enabling attackers to take control of any principal within the domain. Microsoft has rated the vulnerability as moderate severity and plans to address it in a future update, noting that elevated user permissions are required for successful exploitation. Organizations are advised to identify and eliminate unnecessary permissions to mitigate potential threats.

Winsage

May 21, 2025

Active Directory DMSA Attack Detailed By Researchers

The delegated Managed Service Account (dMSA) feature in Windows Server 2025 has a privilege escalation vulnerability that allows attackers to compromise any user in an Active Directory (AD) environment. Research by Yuval Gordon revealed that in 91% of examined environments, users outside the domain admins group had the necessary permissions to exploit this vulnerability. The attack can be executed with benign permissions on any organizational unit (OU) and does not require actual migration of accounts. Gordon's technique, called “BadSuccessor,” enables an attacker controlling a dMSA object to inherit the permissions and keys of any user, including those with high privileges. Microsoft has acknowledged the vulnerability but categorized it as a Moderate severity issue. Akamai recommends limiting the creation of dMSAs and tightening permissions until a patch is released.

Winsage

May 19, 2025

Windows Remote Desktop Gateway UAF Vulnerability Allows Remote Code Execution

A critical vulnerability, designated as CVE-2025-21297, has been identified in Microsoft’s Remote Desktop Gateway (RD Gateway) due to a use-after-free (UAF) bug linked to concurrent socket connections during the service's initialization. This flaw, located in the aaedge.dll library within the CTsgMsgServer::GetCTsgMsgServerInstance function, allows multiple threads to overwrite a global pointer, leading to potential arbitrary code execution. The vulnerability affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft released security updates in May 2025 to address the issue, implementing mutex-based synchronization. The updates are KB5050011 for Windows Server 2016, KB5050008 for Windows Server 2019, KB5049983 for Windows Server 2022, and KB5050009 for Windows Server 2025. Security experts recommend applying these patches promptly and monitoring RD Gateway logs for unusual activity.

Winsage

May 15, 2025

Windows Remote Desktop Gateway Vulnerability Let Attackers Trigger Dos Condition

The Microsoft Security Response Center (MSRC) has released critical security updates to address a significant vulnerability in the Windows Remote Desktop Gateway service, identified as CVE-2025-26677, which allows unauthorized attackers to cause denial of service (DoS) conditions. This vulnerability is rated as "High" severity with a CVSS score of 7.5 and affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft has provided security updates (KB5058383, KB5058392, KB5058385, and KB5058411) to rectify the issue. Additionally, another vulnerability, CVE-2025-29831, has been identified that could enable remote code execution (RCE) through a Use After Free weakness, also rated with a CVSS score of 7.5. This vulnerability requires user interaction, specifically an admin user to stop or restart the service, and affects Windows Server versions 2008 R2, 2012/R2, 2016, 2019, 2022, and 2025. Organizations are advised to prioritize patching both vulnerabilities and to review network configurations to limit exposure of Remote Desktop Gateway services. The vulnerabilities were discovered by security researchers from Kunlun Lab.

Winsage

May 7, 2025

Microsoft: April updates cause Windows Server auth issues

Microsoft has acknowledged that the April 2025 security updates are causing authentication challenges for certain Windows Server domain controllers, specifically affecting Windows Server versions 2016, 2019, 2022, and 2025. The issues arise after installing the April Windows monthly security update (KB5055523 or later), leading to complications in processing Kerberos logons or delegations that rely on certificate-based credentials. Affected authentication protocols include Kerberos PKINIT, S4U via RBKCD, and KCD. These issues are linked to security measures addressing the critical vulnerability CVE-2025-26647, which allows authenticated attackers to escalate privileges remotely. A temporary workaround involves modifying a registry value. Microsoft has previously addressed similar authentication issues in Windows 11, Windows Server 2025, and earlier versions.

Winsage

May 6, 2025

Microsoft pushes fix for Windows 11 update 0x80240069 errors

Microsoft has resolved an issue that affected the delivery of Windows 11 24H2 feature updates via Windows Server Update Services (WSUS) after the installation of the April 2025 security updates. Users reported upgrade problems, specifically encountering error code 0x80240069 during attempts to update from Windows 11 23H2 or 22H2. The update complications primarily impact enterprise environments using WSUS, while home users are less likely to experience these issues. Microsoft is rolling out a fix through Known Issue Rollback (KIR) for enterprise-managed devices, requiring IT administrators to implement the KIR Group Policy on affected endpoints. Additionally, Microsoft is addressing a separate issue where some PCs were upgraded to Windows 11 despite Intune policies preventing such upgrades.