BigTech Companies Cybersecurity Newswire Technology

Senator Slams Microsoft Over Windows “Kerberoasting” Vulnerability

September 11, 2025Last Updated: September 11, 2025

2 minutes read

The Microsoft logo, representing the American multinational corporation and technology company best known for its software products Windows, the line of operating systems, Microsoft 365, the suite of productivity applications that includes Word, Excel, or PowerPoint, and its hardware products, Xbox and Microsoft Surface, is considered one of the Big Five American IT companies and is founded by Bill Gates. The logo is on their pavilion during the Mobile World Congress 2025 in Barcelona, Spain, on March 5, 2025. (Photo by Joan Cros/NurPhoto via Getty Images)

▼ Summary

– A US Senator has called for an FTC investigation into Microsoft for cybersecurity negligence due to its continued use of the obsolete RC4 encryption cipher.
– The investigation was prompted by a ransomware breach at health care giant Ascension, which compromised 5.6 million patient records.
– Microsoft’s default use of RC4 in Active Directory leaves systems vulnerable, as many users do not enable stronger encryption options.
– This vulnerability enables “kerberoasting” attacks, a known technique since 2014 that exploits weak encryption in Kerberos authentication.
– RC4 has been known to be cryptographically broken since 1994, yet Microsoft still supports it as a default in Windows.

A prominent U.S. senator is urging the Federal Trade Commission to investigate Microsoft for what he describes as gross cybersecurity negligence, pointing to the company’s ongoing reliance on an outdated and vulnerable encryption method still enabled by default in Windows systems. The call for action follows a major ransomware attack that compromised millions of patient records, highlighting what critics argue is a preventable security flaw.

Senator Ron Wyden, a Democrat from Oregon, sent a formal letter to FTC Chairman Andrew Ferguson this week, citing findings from his office’s investigation into the 2024 breach of healthcare provider Ascension. The incident resulted in the exposure of sensitive medical data belonging to 5.6 million patients. Wyden asserted that Microsoft’s continued default use of the RC4 encryption cipher played a direct role in the attack’s success.

This marks the second time in recent years that Wyden has publicly accused Microsoft of negligence in its security practices. In his letter, the senator condemned what he called “dangerous software engineering decisions” that the company has allegedly kept hidden from its corporate and government clients. He emphasized that a single errant click by an employee could trigger a devastating, organization-wide ransomware infection due to these vulnerabilities.

The RC4 cipher, developed by cryptographer Ron Rivest in 1987, was once a proprietary algorithm but was publicly disclosed in 1994. Almost immediately, researchers identified critical weaknesses, and the cipher was effectively broken. Despite its well-documented flaws, RC4 remained in use across various encryption protocols for years. Most major software providers phased it out over a decade ago, but Microsoft still supports it as the default encryption method within Active Directory, a core component used to manage user accounts in large organizational networks.

Although Windows does offer more secure encryption alternatives, many organizations fail to enable them. This leaves systems relying on the Kerberos authentication protocol with the vulnerable RC4 cipher. Cryptography expert Matt Green of Johns Hopkins University noted in a recent blog post that this combination, coupled with a common misconfiguration granting excessive user privileges, leaves networks open to “kerberoasting.” This technique, known since 2014, allows attackers to extract and crack Kerberos tickets offline, bypassing stronger protections that could otherwise thwart such efforts.

(Source: Ars Technica)