From Domain User to SYSTEM: Analyzing the NTLM LDAP Authentication Bypass Vulnerability (CVE-2025-54918)
CrowdStrike, Wednesday, October 22nd, 2025
In September 2025, a critical vulnerability (CVE-2025-54918) was discovered affecting domain controllers running LDAP or LDAPS services.
This vulnerability allows attackers to elevate privileges from a standard domain user to SYSTEM level access, potentially compromising entire Active Directory environments. This blog post examines some background, technical details of the exploit, detection methods, and how organizations can protect themselves using CrowdStrike Falcon Exposure Management and CrowdStrike Falcon Next-Gen Identity Security, both delivered through the unified CrowdStrike Falcon platform.