Search

Kerberos relay attack abuses DNS CNAME handling in Windows authentication

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware

What happened A malicious Hugging Face repository impersonating OpenAI's Privacy...
Read more
Cyber threats and incidents

Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers

What happened An Iran-linked threat group known as CyberAv3ngers is...
Read more
Cyber threats and incidents

Android Malware Campaign Uses Hugging Face to Distribute Thousands of Malicious APK Variants

What happened An Android malware campaign is using the Hugging...
Read more
Cyber threats and incidents

Matanbuchus Malware Downloader Evading AV Detection

What happened The Matanbuchus malware downloader has reappeared with updated...
Read more
Cyber threats and incidents

3,280,081 Fortinet Devices Found Online With Exposed Web Properties

What happened A large-scale internet scan identified more than 3.28...
Read more

Share

What happened

The Kerberos relay attack abuses DNS CNAME handling after researchers disclosed a critical flaw that enables credential relay by manipulating DNS alias responses in Active Directory environments. This issue affects how Windows Kerberos clients construct Service Principal Names (SPNs) when they receive CNAME records during DNS resolution, allowing on-path attackers to coerce clients into requesting service tickets for attacker-controlled hosts. Exploitation involves intercepting or spoofing DNS responses to insert malicious CNAME and corresponding A records, which redirect ticket requests to infrastructure controlled by the attacker. The technique was tested successfully on default configurations of Windows 10, Windows 11, and Windows Server 2022/2025, particularly against unprotected services without enforced message signing or Channel Binding Tokens (CBT). Mitigations like January 2026 security updates added CBT support for HTTP.sys, but the underlying CNAME coercion remains unchanged. 

Who is affected

Enterprises running Active Directory with affected Windows platforms and default authentication settings are directly exposed to this Kerberos relay technique. Systems without strict Kerberos protections such as signing and CBT enforcement are most at risk.

Why CISOs should care

This vulnerability impacts core authentication processes used in corporate networks and can facilitate credential relay, lateral movement, and unauthorized access. Without comprehensive defenses, attackers can misuse normal Kerberos flows to access sensitive services. 

3 practical actions

  • Enforce Kerberos protections: Enable message signing and Channel Binding Token requirements for all Kerberos-enabled services.

  • Harden DNS resolution: Strengthen DNS infrastructure and monitor for anomalous CNAME responses indicating manipulation.

  • Audit authentication policies: Review Active Directory service configurations to ensure anti-relay controls are consistently applied.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
CISOs to Watch in Canadian Real Estate
Next article
Redmi Buds firmware flaws expose call data and enable device crashes

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.