hi. let’s talk about trust. not the fluffy HR kind. I mean the kind your SIEM thinks it has when Defender for Identity (MDI) flags a user as clean.
well… turns out that trust can be spoofed. thanks to a newly disclosed vulnerability — CVE-2025-26685 — discovered and detailed by NetSPI. this one’s ugly. it lets attackers bypass detection in Microsoft Defender for Identity by spoofing authentication traffic that appears totally legit to the sensor. yeah, that means your security tools could be watching a fake user session and thinking everything’s just fine.
what is Microsoft Defender for Identity (MDI)?
MDI is that silent watcher sitting inside your domain controller, monitoring all Active Directory traffic. it’s looking for lateral movement, ticket abuse, DC syncs, pass-the-hash, golden tickets — the usual AD horror show. it uses deep packet inspection and behavior analytics to raise the red flags.
except, now we know there’s a blind spot.
what does CVE-2025-26685 do?
in short: the attacker spoofs a Kerberos authentication event in such a way that MDI believes it’s legit.
NetSPI found that MDI sensors can be fooled by forged Kerberos TGS requests, especially when the attacker mimics traffic from monitored entities (like DCs, Exchange servers, or other high-value targets). the spoofed traffic looks real enough to avoid triggering alerts — or worse, creates false confidence in a compromised identity.
attackers can abuse this to:
- hide lateral movement between hosts
- mask use of stolen Kerberos tickets
- trick defenders into trusting poisoned identity data
why this matters
because MDI is one of the key layers in Microsoft’s Zero Trust model for hybrid AD. if the sensor lies, your entire detection pipeline gets skewed. think false negatives, ghost activity, and broken incident timelines.
this also breaks trust in correlated events — like when Defender XDR ties MDI signals to endpoint logs. if MDI gets duped, your response team might chase a decoy while the real attacker pivots elsewhere.
who’s affected?
any org using Microsoft Defender for Identity, especially in hybrid AD environments. that includes:
- on-prem AD with Azure AD Connect
- hybrid Exchange deployments
- organizations relying on Kerberos + MDI-based detections
mitigations and Microsoft’s response
Microsoft assigned this CVE a medium severity rating, but trust me, the real-world impact is bigger. they released a patch in the latest MDI sensor update, so if you haven’t updated yet — do it now. also:
- review sensor deployment locations
- enable verbose logging for Kerberos and MDI
- monitor for abnormal TGS request patterns
- feed enriched data into Sentinel or your SIEM for correlation
TL;DR
CVE-2025-26685 proves that even our detection layers can be misled. if you’re depending on MDI to catch identity-based attacks, make sure it’s patched, hardened, and cross-checked. cause the worst kind of false positive is no alert at all.
stay safe
rgds,
Alex