From Domain User to System: NTLM LDAP Authentication Bypass (CVE-2025-54918)
CrowdStrike research describes CVE-2025-54918, a critical evolution of coercion and NTLM relay techniques that can allow attackers to coerce a domain controller into authenticating to an attacker-controlled listener, manipulate NTLM flags (removing SIGN/SEAL while preserving LOCAL_CALL), and relay the modified authentication to achieve SYSTEM-level privileges. The exploit chain leverages RPC coercion vectors (Printer Bug-like) and real-time packet manipulation to bypass LDAP signing and channel binding protections. Because the attack uses the domain controller's own machine account and coerced authentication, it can result in full AD compromise from a low-privilege user foothold. CrowdStrike published detection guidance, CRT rule templates for Falcon Next-Gen SIEM, and mitigation recommendations including enforcing channel binding, LDAP signing, and reducing NTLM exposure.
CORTEX Protocol Intelligence Assessment
Business Impact: High — potential for domain controller takeover and enterprise-wide compromise. Technical Context: Combines coercion, NTLM relay, and packet manipulation to defeat common AD hardening controls.
Strategic Intelligence Guidance
- Enforce LDAP signing and channel binding across domain controllers and LDAP clients.
- Disable NTLM fallback where possible and monitor NTLM authentication anomalies.
- Deploy detection rules for empty username fields, LOCAL_CALL flags, and modified SEAL/SIGN flags.
- Use identity-focused EDR/SIEM correlation to detect suspicious authentication sequences.
CVEs
Vendors
Targets
Intelligence Source: From Domain User to System – Analyzing the NTLM LDAP Authentication Bypass Vulnerability | Oct 24, 2025