What happened
The Kerberos relay attack abuses DNS CNAME handling after researchers disclosed a critical flaw that enables credential relay by manipulating DNS alias responses in Active Directory environments. This issue affects how Windows Kerberos clients construct Service Principal Names (SPNs) when they receive CNAME records during DNS resolution, allowing on-path attackers to coerce clients into requesting service tickets for attacker-controlled hosts. Exploitation involves intercepting or spoofing DNS responses to insert malicious CNAME and corresponding A records, which redirect ticket requests to infrastructure controlled by the attacker. The technique was tested successfully on default configurations of Windows 10, Windows 11, and Windows Server 2022/2025, particularly against unprotected services without enforced message signing or Channel Binding Tokens (CBT). Mitigations like January 2026 security updates added CBT support for HTTP.sys, but the underlying CNAME coercion remains unchanged.Â
Who is affected
Enterprises running Active Directory with affected Windows platforms and default authentication settings are directly exposed to this Kerberos relay technique. Systems without strict Kerberos protections such as signing and CBT enforcement are most at risk.
Why CISOs should care
This vulnerability impacts core authentication processes used in corporate networks and can facilitate credential relay, lateral movement, and unauthorized access. Without comprehensive defenses, attackers can misuse normal Kerberos flows to access sensitive services.Â
3 practical actions
-
Enforce Kerberos protections: Enable message signing and Channel Binding Token requirements for all Kerberos-enabled services.
-
Harden DNS resolution: Strengthen DNS infrastructure and monitor for anomalous CNAME responses indicating manipulation.
-
Audit authentication policies: Review Active Directory service configurations to ensure anti-relay controls are consistently applied.