Executive Summary
In May 2026, a security analysis highlighted that merely changing passwords in Active Directory (AD) environments does not fully mitigate breaches. Attackers can exploit cached credentials and active sessions to maintain unauthorized access even after password resets. This vulnerability underscores the need for comprehensive incident response strategies beyond simple credential changes.
The incident emphasizes the importance of addressing identity drift and implementing robust security measures to prevent attackers from leveraging residual access paths post-password reset.
Why This Matters Now
With the increasing sophistication of cyber threats, relying solely on password changes is insufficient. Organizations must adopt holistic security practices to effectively counteract persistent threats in AD environments.
Attack Path Analysis
An attacker exploited cached credentials and active sessions to maintain unauthorized access to an Active Directory environment, despite password resets. They escalated privileges by leveraging service accounts and Kerberos ticket attacks, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker gained initial access by exploiting cached credentials and active sessions, allowing them to bypass password resets and maintain unauthorized access.
Related CVEs
CVE-2025-0604
CVSS 5.4A flaw in Keycloak's LDAP federation allows authentication bypass due to missing LDAP bind after password reset, enabling users with expired or disabled AD accounts to regain access.
Affected Products:
Red Hat Keycloak – Affected versions not specified
Exploit Status:
no public exploitCVE-2022-32744
CVSS 8.8An authentication bypass vulnerability in Samba's KDC allows any authenticated user to change other users' passwords, potentially leading to full domain takeover.
Affected Products:
Samba Samba – Versions prior to 4.9.15, 4.10.10, 4.11.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Steal or Forge Kerberos Tickets
Account Manipulation
Modify Authentication Process: Domain Controller Authentication
Rogue Domain Controller
Password Spraying
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure proper user identification and authentication management
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Active Directory breaches expose banking systems to prolonged unauthorized access through cached credentials, Kerberos ticket attacks, and service account compromises despite password resets.
Health Care / Life Sciences
Healthcare organizations face extended breach exposure as password changes don't invalidate cached hashes or active sessions, threatening HIPAA compliance and patient data security.
Government Administration
Government agencies vulnerable to persistent access via Golden Ticket attacks and AdminSDHolder ACL modifications that bypass password reset protections in Active Directory environments.
Information Technology/IT
IT sector faces critical risks from service account credential exposure and hybrid cloud synchronization delays that maintain attacker access post-password reset operations.
Sources
- Why Changing Passwords Doesn’t End an Active Directory Breachhttps://www.bleepingcomputer.com/news/security/why-changing-passwords-doesnt-end-an-active-directory-breach/Verified
- Identity Drift in AD and Entra ID: The Password Change Riskhttps://specopssoft.com/blog/identity-drift-active-directory-entra-id/Verified
- CVE-2025-0604 - Keycloak-ldap-federation: authentication bypass due to missing ldap bind after password reset in keycloakhttps://cvefeed.io/vuln/detail/CVE-2025-0604Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit cached credentials, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt operations by enforcing strict segmentation and access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF could have limited the attacker's ability to exploit cached credentials by enforcing strict access controls and session management policies.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have restricted the attacker's ability to escalate privileges by limiting access to critical resources based on strict identity verification.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the attacker's lateral movement by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have restricted the establishment of command and control channels by providing comprehensive monitoring and management across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited data exfiltration by controlling and monitoring outbound traffic to external destinations.
While Aviatrix CNSF may not have entirely prevented the initial compromise, its controls could have significantly reduced the attacker's ability to disrupt operations by limiting access to critical systems and data.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Control
- Identity Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of user credentials and unauthorized access to sensitive systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and control internal network traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into network activities and detect anomalies.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and control outbound traffic.
- • Establish robust Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
