Listen to this Post
Introduction: A Silent Shift in Kerberos Attack Surface
A newly disclosed vulnerability in Windows Kerberos authentication is reshaping how defenders must think about credential relay attacks. Unlike older techniques that depended on NTLM or niche configurations, this flaw abuses DNS behavior at a fundamental level, allowing attackers to manipulate how Service Principal Names (SPNs) are selected during Kerberos authentication. The result is a powerful relay vector that works even in environments where NTLM has been fully disabled and Kerberos is assumed to be “secure by default.” Tracked as CVE-2026-20929, the issue affects modern Windows client and server systems and has been confirmed by Microsoft following responsible disclosure.
Overview of CVE-2026-20929
CVE-2026-20929 is a critical Kerberos authentication vulnerability that enables credential-relay attacks through DNS CNAME manipulation. By abusing how Windows clients resolve service hostnames during Kerberos authentication, attackers can redirect ticket requests to systems they control. This behavior allows threat actors to bypass traditional security assumptions around Kerberos, opening the door to lateral movement, privilege escalation, and credential theft across enterprise environments.
Affected Windows Platforms
The vulnerability impacts a wide range of currently supported Windows operating systems. This includes Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025. Because these platforms are widely deployed in enterprise networks, the real-world exposure is significant, particularly in environments with complex DNS infrastructure or legacy service configurations.
Severity and Risk Classification
Microsoft and independent researchers have classified CVE-2026-20929 as Critical. The severity stems from the attack’s flexibility, low visibility, and ability to function even when NTLM authentication is completely disabled. The vulnerability undermines a core trust assumption in Kerberos-based authentication workflows, which many organizations rely on as their primary defense against relay attacks.
How Kerberos Uses DNS During Authentication
When a Windows client connects to a network service using Kerberos, it performs DNS resolution to identify the service’s hostname. The resolved hostname is then used to construct the SPN embedded in the Ticket Granting Service (TGS) request. This SPN determines which service the Kerberos ticket is valid for and which account ultimately receives it.
DNS CNAME Abuse as the Core Attack Vector
The vulnerability arises from how Windows processes DNS CNAME records during service resolution. If an attacker can intercept or influence DNS responses, they can return a malicious CNAME record that redirects the client to an attacker-controlled hostname. Alongside this CNAME, the attacker provides an A record pointing to their own IP address. The Windows client, trusting the DNS response, constructs the Kerberos TGS request using the attacker’s chosen SPN rather than the intended service.
Forced Kerberos Ticket Requests to Attacker Systems
This behavior allows attackers to force victims to request Kerberos service tickets for systems they control. Once the ticket is issued, it can be relayed to other services that accept Kerberos authentication, enabling unauthorized access without ever cracking credentials or exploiting memory corruption bugs.
Why This Technique Is Different From Older Kerberos Relays
Traditional Kerberos relay attacks were often limited to specific scenarios, such as machine accounts, constrained delegation setups, or misconfigured services. CVE-2026-20929 removes many of these limitations. By controlling SPN selection through DNS, attackers gain on-demand influence over Kerberos authentication flows across default Windows installations.
Preconditions for Exploitation
Successful exploitation requires two main conditions. First, the attacker must obtain a man-in-the-middle position capable of intercepting or spoofing DNS traffic. Second, the target service must accept Kerberos authentication without enforcing message signing or Channel Binding Tokens (CBT). Unfortunately, many enterprise services still meet these criteria.
Common Network Positioning Techniques
Attackers can achieve DNS interception using several well-known techniques. These include ARP poisoning on local networks, DHCPv4 poisoning to inject malicious DNS server addresses, and DHCPv6 poisoning using MITM6-style attacks. In complex enterprise environments, these techniques are often easier to execute than defenders expect.
Cross-Protocol Kerberos Ticket Acceptance
One of the most alarming findings from the research is that many Windows services accept Kerberos tickets based only on the hostname portion of the SPN. The service prefix is often ignored. As a result, SMB services accept tickets with HTTP prefixes, while HTTP services accept tickets with CIFS prefixes. This cross-protocol behavior dramatically expands the attack surface.
SMB and HTTP Relay Abuse
Because of this lax SPN validation, attackers can relay HTTP authentication to SMB services or pivot SMB authentication into web-based endpoints. This flexibility makes it easier to chain attacks and reach high-value targets, even when individual services appear properly secured.
Targeting Active Directory Certificate Services
A particularly dangerous exploitation path involves Active Directory Certificate Services (ADCS) web enrollment endpoints. By relaying Kerberos authentication to these interfaces, attackers can request authentication certificates on behalf of victims, potentially leading to full domain compromise.
Microsoft’s Response and Confirmation
Microsoft confirmed the reported behavior after responsible disclosure in October 2025. Rather than altering how Windows follows CNAME records during Kerberos authentication, Microsoft focused on strengthening service-side defenses. In the January 2026 security updates, Channel Binding Token support was added to HTTP.sys across supported Windows Server versions.
Limitations of the January 2026 Mitigation
While the addition of CBT support for HTTP services improves security, it does not eliminate the underlying DNS CNAME manipulation capability. The Kerberos client behavior remains unchanged, meaning organizations must still enforce protections at the service level to prevent relay attacks.
Why Kerberos Alone Cannot Stop Relay Attacks
Security experts emphasize that Kerberos, by design, cannot prevent relay attacks on its own. Kerberos authenticates identities but does not guarantee that the endpoint receiving the ticket is the intended one. Service-level protections are therefore essential to close the gap exploited by CVE-2026-20929.
SMB Signing as a Primary Defense
Enforcing SMB signing on all servers is one of the most effective mitigations. SMB signing ensures message integrity and prevents attackers from relaying Kerberos-authenticated SMB sessions to unauthorized systems.
Channel Binding Tokens for HTTP and HTTPS
Mandating Channel Binding Tokens for all HTTP and HTTPS services significantly reduces the risk of Kerberos relay attacks. CBT binds the authentication to the underlying transport channel, making relayed tickets unusable.
LDAP Signing and LDAPS Protections
Active Directory environments must require LDAP signing and enforce CBT for LDAPS connections. Without these protections, LDAP remains a high-value target for Kerberos relay-based lateral movement.
DNS Infrastructure Hardening
Hardening DNS infrastructure is critical. Organizations should restrict which systems can respond to DNS queries, deploy secure DNS configurations, and consider encrypted DNS mechanisms such as DNS over HTTPS (DoH) where feasible.
Monitoring for Anomalous Kerberos Behavior
Detection plays an important role in mitigating this threat. Security teams should monitor for unusual TGS requests, unexpected SPN patterns, and abnormal CNAME usage that could indicate active exploitation.
Operational Impact on Enterprise Networks
The operational impact of CVE-2026-20929 is significant. Many enterprises rely on implicit trust between internal services and assume Kerberos is safe once NTLM is disabled. This vulnerability challenges that assumption and forces a reevaluation of long-standing security baselines.
The Broader Security Implications
This vulnerability highlights how legacy design decisions in core protocols can resurface as critical threats decades later. DNS and Kerberos are foundational technologies, and their interaction is often overlooked during security architecture reviews.
What Undercode Say:
A Wake-Up Call for Kerberos-Centric Security Models
CVE-2026-20929 is not just another Windows vulnerability; it is a reminder that authentication protocols are only as strong as the ecosystem around them. Organizations have spent years disabling NTLM and hardening Kerberos, yet this flaw bypasses those efforts by abusing DNS trust relationships that few security teams actively monitor.
DNS as the New Authentication Battleground
The attack underscores DNS as a high-risk component of authentication workflows. Too often, DNS is treated as plumbing rather than a security boundary. Undercode believes that defenders must begin treating DNS responses as security-sensitive inputs, especially when they influence identity and access decisions.
Service-Level Enforcement Is No Longer Optional
The research behind this vulnerability makes one point clear: relying on protocol defaults is no longer sufficient. SMB signing, CBT enforcement, and LDAP protections must move from “best practice” to mandatory policy in enterprise environments.
Cross-Protocol Abuse Changes the Threat Model
The ability to relay Kerberos authentication across protocols fundamentally changes how lateral movement works. Attackers are no longer confined to exploiting the same service they intercept. This flexibility accelerates compromise timelines and reduces the attacker’s operational complexity.
Patch Management Is Necessary but Not Sufficient
Microsoft’s January 2026 updates are a step forward, but they do not fully address the root cause. Undercode notes that organizations waiting for a “full fix” are exposing themselves to unnecessary risk. Defense-in-depth is the only viable strategy.
Detection Must Evolve Alongside Prevention
Preventive controls will not catch every attack. Monitoring for anomalous SPN usage, unexpected Kerberos flows, and suspicious DNS behavior must become part of routine security operations if organizations hope to detect exploitation early.
A Strategic Shift for Enterprise Defenders
Ultimately, CVE-2026-20929 forces a strategic shift. Authentication security can no longer be treated as a solved problem. Continuous validation, layered defenses, and visibility into protocol interactions are now essential components of modern enterprise security.
Fact Checker Results
Verification of Technical Claims
✅ The described DNS CNAME abuse aligns with documented Kerberos client behavior.
✅ Microsoft has confirmed the issue and released partial mitigations in January 2026 updates.
❌ No evidence suggests the underlying CNAME processing behavior has been fully changed.
Prediction
The Future of Kerberos Hardening
🔮 Enterprises will accelerate mandatory SMB signing and CBT enforcement across all services.
🔮 DNS security controls will gain prominence as part of identity protection strategies.
🔮 Kerberos relay attacks will increasingly target certificate services and cross-protocol paths.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
