CVE-2025-26685 is a vulnerability classified under CWE-287 (Improper Authentication) affecting Microsoft Defender for Identity. This security flaw allows an unauthorized attacker to perform spoofing attacks over an adjacent network, meaning the attacker must be on the same local network segment or have network proximity to the target environment. The vulnerability arises due to improper authentication mechanisms within Microsoft Defender for Identity, which is a security product designed to detect and investigate advanced threats, compromised identities, and malicious insider actions within an enterprise environment. Exploiting this vulnerability does not require any privileges or user interaction, making it easier for attackers to attempt exploitation if they have network access. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high impact on confidentiality (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could allow attackers to spoof identities or network communications within the Defender for Identity environment, potentially bypassing detection or gaining unauthorized access to sensitive identity-related telemetry and alerts.

For European organizations, this vulnerability poses a significant risk to the confidentiality of identity and security telemetry data monitored by Microsoft Defender for Identity. As this product is widely used in enterprise environments to detect advanced persistent threats and insider threats, successful exploitation could allow attackers to spoof legitimate network entities, evade detection, or manipulate identity-related security alerts. This could lead to unauthorized access to sensitive user or system information, undermining trust in security monitoring and increasing the risk of further lateral movement or data breaches. The medium severity rating reflects that while the impact on confidentiality is high, the attack requires network adjacency, limiting remote exploitation. However, in environments with shared or poorly segmented networks, especially in large European enterprises or government agencies, the risk is elevated. The lack of required privileges or user interaction means attackers with local network access can attempt exploitation stealthily. This vulnerability could also impact compliance with European data protection regulations (e.g., GDPR) if identity data confidentiality is compromised.

European organizations should implement strict network segmentation and access controls to limit the possibility of attackers gaining adjacent network access to systems running Microsoft Defender for Identity. Monitoring and restricting lateral movement within internal networks can reduce exposure. Organizations should prioritize deploying any forthcoming patches or updates from Microsoft addressing this vulnerability as soon as they become available. In the interim, enabling enhanced logging and anomaly detection for Defender for Identity communications may help identify suspicious spoofing attempts. Network-level protections such as dynamic ARP inspection, DHCP snooping, and port security on switches can help prevent spoofing attacks on local networks. Additionally, organizations should review and harden authentication configurations related to Defender for Identity and ensure that only trusted devices and users have network access to these systems. Conducting regular internal penetration testing and vulnerability assessments focusing on adjacent network attack vectors can help identify and remediate exposure.