Microsoft has released a security advisory about a new vulnerability in Active Directory Certificate Services (AD CS). This flaw could let attackers launch denial-of-service (DoS) attacks over a network.
The vulnerability is tracked as CVE-2025-29968. It affects several versions of Windows Server and has been rated as “Important”. The CVSS score is 6.5 for Windows Server 2022 and 5.7 for other versions.
Improper Input Validation in AD CS
The issue is caused by improper input validation in AD CS. This Windows role is used to issue and manage digital certificates for internal security.
According to Microsoft, an authorized attacker can exploit this flaw to disrupt the AD CS service. This could stop important functions like authentication and secure communication across an organization’s network.
Details of the Vulnerability
The vulnerability is classified under CWE-20 (Improper Input Validation). It can be exploited over a network with low attack complexity. The attacker only needs low-level authenticated access. No user interaction is required.
While this flaw does not affect confidentiality or integrity, it can seriously harm availability. An attacker could make AD CS unresponsive, affecting systems that depend on it.
Risk Factors and Affected Products
Microsoft has confirmed the following Windows Server versions are affected:
- Windows Server 2022 (including 23H2 Edition)
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 / 2012 R2
- Windows Server 2008 / 2008 R2
Both Standard and Server Core installations are vulnerable when the AD CS role is enabled.
Patches and Mitigation
Microsoft has released security updates to fix this issue. Administrators should apply these patches as soon as possible. Key updates include:
- Windows Server 2022: KB5058385
- Windows Server 2019: KB5058392
- Windows Server 2016: KB5058383
Microsoft has assessed the chance of exploitation as “Exploitation Unlikely”. The vulnerability has not been publicly disclosed or used in active attacks so far. However, organizations should stay alert and keep systems updated.
Discovery and Acknowledgment
An anonymous security researcher discovered and reported this vulnerability through coordinated disclosure. Microsoft has acknowledged their contribution in the official security bulletin.
Recommendations
Organizations using Active Directory Certificate Services are strongly advised to apply the latest security patches. Regular patch management is crucial to reduce the risk of service disruptions caused by this vulnerability.
