A newly discovered vulnerability, CVE-2025-23120, that enables remote code execution (RCE) for domain users is making waves in the cybersecurity community, posing a severe threat to organizations worldwide.

“The attack method grants adversaries administrative-level privileges once they establish a foothold through a compromised user account,” c/side security analyst Himanshu Anand said in a new analysis.

As of writing, there are over 52,000 domain-based environments thought to be affected by the flaw, according to internal telemetry gathered by c/side. The figure could be much higher as more security firms begin their own investigations.

Cybersecurity The vulnerability, reported by HackerOne on March 21, 2025, leverages a chain of misconfigurations within certain Active Directory implementations. If successfully exploited, it allows an attacker to inject malicious code remotely, effectively taking over the compromised system and opening the door for lateral movement within networks.

As detailed in the analysis, once a user with domain credentials falls prey to the exploit—often via phishing or a drive-by download—CVE-2025-23120 enables the attacker to execute arbitrary commands under the same level of access. From there, the bad actor can elevate privileges, deploy additional payloads, or exfiltrate sensitive data.

The intrusion path has been found to rely on a combination of social engineering and unpatched servers. In particular, c/side noted that threat actors often target domain controllers that have not received the latest security updates.

c/side also identified an advanced variant of the exploitation strategy that conceals backdoor scripts using PowerShell obfuscation techniques, making them more difficult to detect. In several incidents, attackers impersonated legitimate IT tools to blend in with normal network traffic, thus evading basic antivirus filters and endpoint monitoring solutions.

The end result is a high-impact compromise: organizations may witness unauthorized installations, system reconfigurations, or even complete operational shutdowns if the RCE is used to deploy ransomware.

“This campaign underscores how even a single vulnerability can morph into a platform for large-scale attacks,” Anand said. “When domain credentials are in play, the ripple effect across enterprise systems can be devastating.”

The disclosure of CVE-2025-23120 comes on the heels of several high-profile campaigns that have highlighted the importance of continuous patching and network segmentation. Unlike attacks focusing on client-side code injections, this vulnerability specifically exploits the inherent trust relationships within Active Directory environments.

CVE-2025-23120 “The current wave of exploits we’re tracking indicates a shift toward more sophisticated privilege escalation methods,” Anand added. “We’ve seen a spike in reconnaissance activity around Windows domain infrastructure, suggesting threat actors are actively looking for this type of flaw.”

Indeed, once an adversary gains domain-level authority, the breach often spirals into widespread data theft. Some attackers may go further, disabling security tools, hiding malicious admin accounts, and siphoning legitimate credentials for future use—a tactic that c/side researchers liken to “taking full control of the castle by seizing the keys.”

Remediation and Best Practices Organizations are urged to implement immediate mitigation measures, which include installing all available patches related to CVE-2025-23120, enforcing least-privilege policies, and ensuring continuous network monitoring for anomalous traffic.

Security researchers further recommend that system administrators:

Update Domain Controllers Apply the latest vendor patches, prioritizing systems that manage authentication and group policy.

Audit Privileged Accounts Regularly review and limit user privileges to reduce the risk of unauthorized escalation.

Enable Advanced Logging Utilize event logs and SIEM solutions to detect and isolate unusual activity in real time.

Educate Users Train employees to spot phishing attempts and suspicious links, which remain the most common entry vector.

“This vulnerability highlights that while perimeter defenses matter, internal defenses are just as critical,” Anand noted.