☢ Notable Research
Kerberos Is No Longer Relay-Proof
CVE-2026-20929 fundamentally changed the relay attack landscape. Cymulate's Ben Zamir demonstrated that DNS CNAME poisoning
can coerce the Windows Kerberos client into requesting tickets for attacker-chosen SPNs — enabling full cross-service
Kerberos relay to SMB, LDAP, and AD CS. The long-held assumption that Kerberos tickets are cryptographically bound to the
intended service no longer holds when DNS is compromised. Microsoft's partial patch only covers HTTP; the root cause is unfixed.
Disabling NTLM alone does not make you relay-proof.
Read the research →
Jump to full coverage ↓
2026
March 2026
Vulnerability
Patch Tuesday
CVE-2026-25177 — AD DS Privilege Escalation via Unicode SPN/UPN Manipulation (CVSS 8.8)
Microsoft's March 2026 Patch Tuesday fixed a high-severity Active Directory Domain Services vulnerability. Attackers with low privileges can craft Unicode characters in Service Principal Names (SPNs) or User Principal Names (UPNs) that bypass AD's duplicate-name validation. This can cause Kerberos to issue tickets encrypted with the wrong key, force authentication fallback to NTLM, and ultimately escalate to SYSTEM privileges. Network-reachable, low complexity, no user interaction required. Microsoft rates exploitation as "less likely" and it is not currently in the CISA KEV catalog, but the attack surface is broad — patch your domain controllers ASAP.
Microsoft Security Response Center →
February 2026
Hardening
Deprecation
Microsoft Announces 3-Phase Plan to Kill NTLM — Kerberos Migration Roadmap is Official
Microsoft has formally laid out a three-phase roadmap to deprecate NTLM across Windows. Phase 1 (available now) introduces enhanced NTLM auditing to identify where NTLM is still in use. Phase 2 (expected H2 2026) tackles common migration blockers with IAKerb and a local Key Distribution Center (KDC). Phase 3 will disable NTLM by default in the next Windows Server and client releases, requiring explicit re-enablement via policy. Worth noting: Windows Server 2025 and Windows 11 24H2 already kill NTLMv1, which is a real win. NTLMv2 is a different story entirely — it's deeply embedded in enterprise environments with far more dependencies, and actually removing it will be significantly harder. Phase 3 hinges on the "next major release," which for most orgs means a 5-10 year adoption horizon at best. The auditing in Phase 1 is genuinely useful, but don't hold your breath on NTLM disappearing anytime soon.
Microsoft Windows IT Pro Blog →
January 2026
Hardening
Tool
January Patch Tuesday Breaks Shadow Credentials — Tooling Already Updated
Microsoft's January 2026 cumulative update (KB5073723 for Server 2019, KB5073379 for Server 2025) introduced changes that broke Shadow Credentials attacks. The security community quickly diffed the patch and identified the changes. RedTeamPentesting has already updated their keycred tool (v1.2.1) to work with the new requirements.
@RedTeamPT on X →
January 2026
Vulnerability
Research
CVE-2026-20929 — Kerberos Relay via DNS CNAME Abuse: "Relay-Proof" Kerberos Falls (CVSS 7.5)
Cymulate researcher Ben Zamir broke the long-held assumption that Kerberos authentication is inherently immune to cross-service relay attacks.
By poisoning DNS with CNAME records, an attacker can cause the Windows Kerberos client to request a TGS ticket for an attacker-chosen SPN
instead of the intended service — the client blindly follows the CNAME alias when constructing the service ticket request. Combined with DNS MITM
(ARP poisoning, DHCPv6/mitm6, rogue DNS), this enables full cross-service Kerberos relay to SMB, LDAP, and AD CS endpoints. The most devastating
path: relay to AD CS web enrollment to obtain a certificate as the victim, granting persistent access that survives password changes.
Microsoft's January 2026 patch added Channel Binding Token (CBT) support to HTTP.sys, but this only mitigates HTTP-based relay. The
underlying CNAME coercion primitive is unchanged — the Kerberos client still follows CNAME records and constructs TGS requests using the
alias hostname. SMB and LDAP relay vectors remain exploitable without explicit signing and channel binding enforcement. This isn't a fix — it's a
band-aid on one protocol while the root cause persists.
For defenders: this is a wake-up call. If your relay protection strategy assumed Kerberos was safe, it isn't. Enforce SMB signing, LDAP signing,
and channel binding across your environment — these protections are now critical for both NTLM and Kerberos relay defense. And for the
"just disable NTLM and you're safe from relay" crowd: disabling NTLM eliminates NTLM relay, but it does not make you relay-proof — this attack targets Kerberos directly.
Cymulate Research →
PoC Tool (GitHub) →