Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/depthsecurity/RelayKing-Depth/llms.txt

Use this file to discover all available pages before exploring further.

CVE-2025-54918 affects unpatched Windows Server 2025 hosts (build 10.0.26100) and describes a path where an attacker can coerce PrintSpooler RPC authentication and reflect it to LDAPS, bypassing channel binding. When the vulnerable host is a domain controller with PrintSpooler enabled, the attack can lead directly to domain compromise. RelayKing detects this vulnerability automatically using the UBR (Update Build Revision) already queried from each host’s remote registry. No extra network requests are made.

Affected versions

Windows versionBuildVulnerable UBR range
Windows Server 2025 / Windows 11 24H210.0.26100UBR < 6584
Only build 26100 is affected. Hosts on all other builds are not evaluated for this CVE.

How it’s detected

During the standard UBR registry read (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UBR), RelayKing records the full version tuple (major, minor, build, ubr) for every Windows host. When build == 26100 and ubr < 6584:
  1. The host is marked as vulnerable to CVE-2025-54918.
  2. RelayKing checks whether the host is a domain controller (using the DC list populated from AD during --audit enumeration or --dc-ip).
  3. If the host is a DC, RelayKing checks whether PrintSpooler is active by binding to the MS-RPRN interface (12345678-1234-abcd-ef00-0123456789ab) over RPC/TCP via the endpoint mapper.

Severity logic

A Windows Server 2025 domain controller with PrintSpooler enabled and UBR below 6584 is a CRITICAL severity finding. Coerce via PrintSpooler RPC and reflect to LDAPS to write arbitrary AD attributes.
Host rolePrintSpoolerSeverity
DCEnabledCRITICAL
DCNot confirmed / not accessibleMEDIUM
Non-DCAnyMEDIUM
The CRITICAL path — PrintSpooler RPC coercion reflected to LDAPS — bypasses LDAPS channel binding on unpatched Server 2025, allowing the attacker to write to Active Directory as the machine account.

Relay path description

For a CRITICAL finding, the relay path is reported as: 
Source: rpc  →  Destination: ldaps
Impact: CRITICAL
Description: CVE-2025-54918: Server 2025 DC with PrintSpooler enabled — 
  Coerce via RPC, reflect to LDAPS (bypasses channel binding). Build <x> is unpatched.
For a MEDIUM finding (non-DC or PrintSpooler not confirmed): 
Source: any  →  Destination: any
Impact: MEDIUM
Description: CVE-2025-54918: Server 2025 <role> is unpatched (build <x>) — 
  vulnerable to NTLM reflection.

No additional network requests

The UBR value used for this check is the same value read during the NTLM reflection registry pass. PrintSpooler is checked via a separate RPC/TCP bind, but only for DC hosts where the UBR already confirms vulnerability — non-DC hosts are flagged MEDIUM without the PrintSpooler check.
If RemoteRegistry is not running on a host, the UBR cannot be read and the host will not be evaluated for CVE-2025-54918 (or CVE-2019-1040). RelayKing logs this at verbosity level -vvv as STATUS_PIPE_NOT_AVAILABLE.

Remediation

Patch to a UBR of 6584 or higher on all Windows Server 2025 hosts. As an interim control, disabling the PrintSpooler service on domain controllers eliminates the CRITICAL attack path (but not the underlying MEDIUM risk from other coercion primitives). 
# Check current UBR on a Windows Server 2025 host (run locally)
(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').UBR

Flags

This check runs automatically during every scan. No flag is required.
BehaviorDetails
Runs automaticallyYes
Auth requiredLow-privilege credentials (for RemoteRegistry access)
Additional network requestsNo for the UBR check; one RPC/TCP bind per vulnerable DC to confirm PrintSpooler