Active Directory Password‑Reset Gap Lets Attackers Retain Access After Credentials Are Changed
What Happened — Research and vendor briefings reveal that resetting a user’s password in on‑premises Active Directory (AD) or hybrid Entra ID does not instantly invalidate cached password hashes on offline devices or during the AD‑to‑Entra sync window. Attackers who have previously harvested a hash can continue to authenticate via pass‑the‑hash or other techniques until the cache expires or sync completes.
Why It Matters for TPRM —
- Persistent credential hashes create a hidden foothold that can be leveraged to move laterally across a third‑party’s network.
- Vendor‑managed environments (e.g., MSP‑hosted AD, SaaS identity platforms) may inherit this gap, expanding the attack surface for your organization.
- Traditional “reset‑the‑password” response may give a false sense of remediation, delaying proper incident containment.
Who Is Affected — Enterprises using on‑premises AD, hybrid Azure Entra ID, Managed Service Providers that host AD, and any third‑party SaaS relying on AD federation.
Recommended Actions —
- Verify that password‑reset tools (e.g., Specops uReset) push immediate cache invalidation to endpoints.
- Enforce short cache lifetimes and require periodic re‑authentication for offline devices.
- Audit hybrid sync intervals; consider reducing the password‑hash sync window.
- Incorporate credential‑hash monitoring into your third‑party risk assessments.
Technical Notes — The issue stems from Windows’ local password‑hash caching and the asynchronous nature of AD‑to‑Entra ID synchronization. No CVE is cited; the vulnerability is procedural. Attackers exploit cached hashes via pass‑the‑hash or similar techniques. Source: BleepingComputer