Executive Summary

On 10 June 2025, Microsoft released a total of 66 different vulnerabilities 2 being zero-day ones and patches to mitigate these vulnerabilities. One of the zero-day vulnerabilities is called CVE-2025-33073 Windows SMB Client Elevation of Privilege Vulnerability and allows an unauthorized user to execute remote commands and privilege escalation in Active Directory Environment.

Introduction

Vulnerability id CVE-2025-33073 is released by security researchers and allows the misuse of default DNS permissions in Active Directory infrastructure to gain control of the entire system.

Every user in Active Directory environment has the privilege of creating new A entries in AD-integrated DNS service.

By using this vulnerability, the attacker adds a special DNS entry. This DNS entry looks like a victim computer but contains the attacker’s IP address.

Subsequently, the attacker can trigger a coercion attack (such as MS-RPRN/PrinterBug, MS-EFSR/PetitPotam, or MS-DFSNM/DFSCoerce) to force the target server to perform an NTLM authentication to the computer that is compromised by attacker’s DNS entry.

If SMB Signing is not enforced on the server, the attacker can perform an NTLM reflection attack by reflecting the authentication session back to the same machine. This grants the attacker NT AUTHORITYSYSTEM privileges. With SYSTEM-level access, the attacker can gain password hashes from SAM or LSASS, execute commands and compromise the server and potentially the entire AD domain

With this vulnerability’s NTLM relay attack, the attacker reflects the authentication session back to the same machine. This attack vector can be implemented with any computer in the Active Directory environment therefore, the attacker can gain full privilege in the target domain.

With the 10 June 2025 patch, Microsoft patched this vulnerability. But in Active directory environments following precautions must be taken for extra protection.

● SBM Signing feature set to “Required”

● Eliminating coercion vulnerabilities such as MS-RPRN/PrinterBug, PetitPotam or DFSCoerce

● Removing DNS entry privileges for unauthorised users or groups like “Authenticated Users”

Explore the full analysis on the Forestall Blog

Data is both your greatest asset and your greatest liability. From intellectual property to customer records, the cost of a breach or leak can be catastrophic—not just financially, but reputationally. For executives tasked with safeguarding digital trust, Data Loss Prevention (DLP) is no longer optional. It’s foundational.

At Precedecyber, we help leadership teams navigate this challenge with clarity and confidence. In this post, we explore how Forcepoint’s DLP platform empowers executives to take control of data risk—without slowing down innovation.

Why Executives Must Lead the DLP Conversation

Data protection isn’t just an IT issue—it’s a boardroom imperative. Executives are increasingly held accountable for:

• Regulatory compliance (GDPR, HIPAA, ISO 27001)

• Brand reputation and customer trust

• Operational resilience and business continuity

• Cyber insurance eligibility and risk scoring

Forcepoint’s DLP solution offers visibility and control that aligns directly with these priorities, enabling leaders to make informed, strategic decisions.

Forcepoint DLP: What Sets It Apart

Forcepoint’s approach to DLP is built around behavioral intelligence and risk-adaptive protection—two capabilities that resonate with executive concerns:

• Contextual Awareness

Understand not just what data is being accessed, but why, how, and by whom. This enables smarter policy enforcement and fewer false positives.

• Risk-Adaptive Policies

Automatically adjust controls based on user behavior and risk level—reducing friction for trusted users while tightening controls for risky activity.

• Unified Visibility Across Channels

Monitor data movement across endpoints, cloud apps, email, and web—critical for hybrid and remote workforces.

• Integration with Identity Platforms

Seamless alignment with Entra ID and Active Directory ensures that identity and data protection work hand-in-hand.

Executive Strategy Framework: DLP with Forcepoint

Here’s how Precedecyber recommends executives approach DLP implementation:

1. Define What Matters Most

• Identify crown-jewel data assets (IP, financials, customer PII)

• Map data flows across departments and platforms

2. Align DLP with Business Objectives

• Ensure policies support—not hinder—productivity

• Use Forcepoint’s analytics to quantify risk and ROI

3. Empower a Culture of Security

• Train teams on acceptable use and data handling

• Use Forcepoint’s behavioral insights to guide coaching, not just enforcement

4. Monitor, Measure, and Mature

• Build executive dashboards for real-time visibility

• Review incidents and adapt policies quarterly

The Bottom Line

Forcepoint DLP isn’t just a technical tool—it’s a strategic asset. When deployed with executive oversight and business alignment, it becomes a catalyst for trust, compliance, and competitive advantage.

At Precedecyber, we specialize in helping organizations implement DLP strategies that scale. Whether you’re modernizing legacy infrastructure or building a Zero Trust roadmap, we’re here to guide the way.

Ready to take control of your data risk?

Let’s talk about how Forcepoint and Precedecyber can help you lead with confidence.

Executive Summary

On 23.05.2025, a new attack method exploiting the design flaw of the Delegated Managed Service Account (dMSA) feature that comes with Windows Server 2025 was detected and the exploit code was published, by Yuval Gordon from Akamai. This method is called “BadSuccessor” and is classified as a new attack technique in addition to the already-known methods. With this technique, an unprivileged user in the Active Directory environment can log in and take over any administrator account name by abusing the dMSA accounts published by Microsoft. This exploitation technique causes the entire Active Directory environment to be compromised.

Vulnerability detection and mitigation operations can be carried out through the details in the document.

Introduction

Through the technique known as BadSuccessor, disclosed by Akamai security researchers, an attacker can compromise the entire infrastructure in environments utilizing Windows Server 2025 Domain Controllers by leveraging two distinct attack scenarios.

The first scenario allows any unprivileged user or computer account within an Active Directory environment to create a vulnerable dMSA account, provided that it possesses the “Create msDS-DelegatedManagedServiceAccount” or “Create all child objects” permission on any “Container” or “Organizational Unit” object, or holds broadly defined rights encompassing these permissions such as “GenericAll,” “WriteDACL,” “WriteOwner,” or “Owner.”

In the second scenario, an attacker can create a vulnerable dMSA account that already exists in the Active Directory environment, as long as they have permission to write to the “msDS-ManagedAccountPrecededByLink” and “msDS-DelegatedMSAState” attributes of existing dMSA objects. This can also be done if they have broader privileges that include those permissions, such as “GenericWrite,” “GenericAll,” “WriteDACL,” “WriteOwner,” or “Owner.”

The attacker manipulates the “msDS-ManagedAccountPrecededByLink” and “msDS-DelegatedMSAState” attributes, which are the root cause of the vulnerability, to impersonate the identity of a user of his choice, causing the entire Active Directory environment to be compromised.

Explore the full analysis on the Forestall Blog

Identity is the gateway to everything—data, systems, and trust. Yet many organizations operate with fragmented identity environments, legacy configurations, and blind spots that expose them to risk. For executives, securing identity isn’t just a technical priority—it’s a strategic imperative.

Why Identity Infrastructure Demands Executive Attention

Whether you're managing a hybrid workforce, scaling cloud adoption, or preparing for compliance audits, your identity systems are under pressure. Common challenges include:

• Overprivileged accounts and stale access

• Misconfigured conditional access policies

• Legacy AD dependencies that hinder agility

• Limited visibility into identity-based threats

• Gaps in governance and audit readiness

Executives are increasingly accountable for these risks—from board-level oversight to regulatory scrutiny. Assessment services help you surface and solve them.

Identity Assessment is designed for strategic clarity and actionable outcomes. Here’s what you can expect:

1. Comprehensive Environment Mapping

We analyze your Entra ID and Active Directory architecture, including hybrid configurations, trust relationships, and authentication flows.

2. Risk & Exposure Analysis

We identify vulnerabilities such as excessive privileges, outdated policies, and risky sign-in patterns—prioritized by business impact.

3. Governance & Compliance Review

We assess alignment with frameworks like ISO 27001, NIST, and GDPR, highlighting gaps in access reviews, audit logging, and role-based controls.

4. Strategic Recommendations

We deliver a tailored roadmap for remediation, modernization, and Zero Trust alignment—designed for executive decision-making.

5. Executive Dashboard & Briefing

You receive a visual summary of findings, risk posture, and next steps—ready for boardroom presentation or stakeholder alignment.

Ready to take control of your Identity Infrastructure?

Let’s talk about how Precedecyber and Forestall can help you lead with confidence.

Active Directory Certificate Services (ADCS) play a critical role in managing and securing the digital identities of users and devices in enterprise environments. However, vulnerabilities in this system can lead to disastrous security breaches. On October 7, 2024, a new attack method targeting ADCS, dubbed ESC15, was discovered. This method allows unauthorized users to escalate privileges within an Active Directory (AD) environment by exploiting misconfigured certificate templates.

The ESC15 vulnerability is an enhancement of previously known techniques like ESC1 but bypasses many of the constraints set by older attack vectors. Notably, this attack method was added to Certipy, a popular tool in the offensive security community, thanks to contributions from dru1d-foofus and TrustedSec’s Justin Bollinger. In this blog post, we’ll dive into how ESC15 works, how to detect vulnerable environments, and the steps to mitigate the risk.

Introduction

What is ESC15?

ESC15 is an attack vector that exploits Certificate Templates with Schema Version 1 in ADCS. This method builds on ESC1, which allowed attackers to request certificates for privileged accounts. However, ESC15 bypasses even more security checks, making it a more dangerous variant.

Key Exploit Conditions for ESC15:

Certificate Template Schema Version is 1.

The Certificate Template allows arbitrary subjectAltName values in the Certificate Signing Request (CSR).

Enrollment Rights for non-privileged users

By exploiting these conditions, attackers can impersonate privileged users like Domain Admins and escalate their privileges within the domain.

Detailed Breakdown of ESC1 and ESC15

In the original ESC1 vulnerability, attackers could request a certificate for any user if:

The Certificate Template allowed users to supply the Subject in the CSR.

The template included at least one EKU (Enhanced Key Usage), such as Domain Authentication, allowing authentication in the domain.

ESC15 improves upon ESC1 by allowing attackers to exploit Schema Version 1 Certificate Templates even if they lack an EKU for Domain Authentication.

The GitHub Contribution to Certipy

On October 7, 2024, a GitHub user named dru1d-foofus submitted a Pull Request to the Certipy repository, automating the exploitation of ESC15. The Pull Request (PR #228) was built upon an earlier discovery by TrustedSec’s Justin Bollinger (@Bandrel). Thanks to these contributors, offensive security professionals now have the ability to automate the ESC15 exploitation process within the Certipy tool.

Explore the full analysis on the Forestall Blog