MEDIUMCVSS6.5

Microsoft Defender for Identity Improper Authentication — Spoofing (CVE-2025-26685)

An improper-authentication flaw in Microsoft Defender for Identity (the sensor that monitors AD domain controllers) allows an attacker on an adjacent network to perform spoofing against the sensor. Service-side fix — no on-prem patching is required, but operators should confirm sensor version and review related Defender for Identity health alerts.

Published May 13, 2025 · Updated May 15, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

The attack does not give code execution. Instead it lets an adjacent-network attacker poison the identity telemetry that Defender for Identity surfaces — potentially hiding their own lateral movement or framing a different account. Realistic abuse: an attacker who already has a foothold on a domain-joined host poisons MDI telemetry to evade detection while continuing the intrusion.

How the attack works

CVE-2025-26685 is an authentication-bypass / spoofing flaw in the Defender for Identity sensor. The MDI sensor inspects authentication traffic on the domain controller, and improperly-validated request signatures allow an attacker on the same network segment to spoof identities or impersonate other entities to the sensor — degrading the integrity of the telemetry MDI feeds back to the Defender XDR portal.

Am I affected?Quick check

Probably yes if any of these apply:

●Defender for Identity administrators

●Active Directory security team

●SOC analysts who triage MDI alerts

●Running Defender for Identity sensors prior to the May 2025 sensor build

Affected OS versions

Defender for Identity sensors on Windows Server 2016+AD domain controllers running the MDI sensor

Fixed inDefender for Identity sensor build released alongside the May 13 2025 Patch Tuesday — sensor auto-update normally pulls this in

Real-world incidentsWhat we've seen

Microsoft addressed CVE-2025-26685 on the May 13 2025 release date as part of the broader May 2025 Patch Tuesday set. Defender for Identity is a cloud-managed service with on-prem sensors, so most of the fix is delivered service-side; operators should verify sensor version and check for spoofing-related alerts in the MDI portal.

How to patch

Manual remediation steps

⏱ 15 minutes per sensor (most auto-update without reboot)

Identify Sensor Status

In the Microsoft Defender portal (security.microsoft.com):

Navigate to Settings → Identities → Sensors

Review the version column for each domain controller listed

Compare against the latest sensor build noted in the MDI release notes for May 2025

Or on each domain controller:

# Check installed MDI sensor version
Get-Service -Name AATPSensor
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Azure Advanced Threat Protection Sensor" -ErrorAction SilentlyContinue).DisplayVersion

Apply the Fix

MDI sensors auto-update by default. If auto-update has been disabled or a sensor is on an older build:

Download the latest sensor package from the Defender portal: Settings → Identities → Sensors → "Download installer"

Run the installer as Administrator on the domain controller — it upgrades in place without a reboot in most cases

Confirm the new version in the portal

Review for Suspicious Activity

In the Defender portal:

Go to Incidents & alerts → Alerts

Filter for spoofing / identity-related alerts since May 13 2025

Triage any anomalies in identity telemetry that may indicate exploitation of the flaw

Verify

In the Defender portal: every domain-controller sensor shows the post-May-2025 build and "Healthy" status.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2025-26685 ↗ MSRC Advisory ↗ NVD