A critical vulnerability in Windows Kerberos authentication that enables attackers to conduct credential-relay attacks by exploiting DNS CNAME records.
Tracked as CVE-2026-20929, this flaw allows threat actors to force victims into requesting Kerberos service tickets for attacker-controlled systems, facilitating lateral movement and privilege escalation even when NTLM authentication is entirely disabled.
| CVE ID | Vulnerability Name | Affected Systems | Severity |
|---|---|---|---|
| CVE-2026-20929 | Kerberos Authentication Relay via DNS CNAME Abuse | Windows 10, Windows 11, Windows Server 2022, Windows Server 2025 | Critical |
How the Attack Works
The vulnerability exploits how Windows Kerberos clients process DNS Canonical Name (CNAME) records during authentication.
When a Windows system connects to a service, it performs a DNS lookup to resolve the hostname.
If an attacker intercepts this DNS query and responds with a malicious CNAME record pointing to an attacker-chosen hostname plus an A record containing the attacker’s IP address, the Windows client constructs its Ticket Granting Service (TGS) request using the CNAME hostname as the Service Principal Name (SPN) instead of the original service.
This behavior works reliably against user accounts on default Windows installations, including Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025.
Unlike previous Kerberos relay techniques, which were limited to machine accounts or specific configurations, this CNAME-based method allows attackers to exert on-demand control over SPN selection.
Exploiting this vulnerability requires two conditions: a man-in-the-middle position for DNS traffic interception and target services accepting Kerberos authentication without enforcing signing or Channel Binding Tokens (CBT).
Attackers can achieve the necessary network position through ARP poisoning to masquerade as the gateway, DHCPv4 poisoning to inject the attacker’s DNS server address, or DHCPv6 poisoning using the MITM6 technique.
When a victim attempts to access any domain resource, their DNS query is intercepted and answered with crafted responses.
The victim’s system automatically requests a TGS for the attacker-specified SPN. It presents it to the attacker-controlled server, which then relays the valid service ticket to the intended target, successfully impersonating the victim.
Research revealed that many Windows services accept TGS tickets based solely on the SPN’s hostname portion, regardless of the service prefix.
SMB services accept tickets with HTTP prefixes, and HTTP endpoints accept tickets with CIFS prefixes.
This cross-protocol acceptance dramatically broadens exploitation opportunities, enabling attackers to relay HTTP authentication to SMB services or target Active Directory Certificate Services (ADCS) web enrollment interfaces for certificate theft.
Microsoft’s Response and Mitigation
Microsoft confirmed the behavior after responsible disclosure in October 2025, as reported by Cymulate.
Rather than modifying the CNAME-following behavior, Microsoft implemented Channel Binding Token support for HTTP.sys across supported Windows Server versions in January 2026 security updates.
| Mitigation Category | Required Actions | Services Affected |
|---|---|---|
| Protocol Signing | Enforce SMB signing on all servers | SMB, CIFS |
| Channel Binding | Mandate CBT for all HTTP/S services | IIS, ADCS, Web Apps |
| LDAP Protection | Require LDAP signing and LDAPS CBT | Active Directory, LDAP |
| DNS Hardening | Implement DoH, restrict DNS responders | All DNS clients |
| Anomaly Detection | Monitor unusual TGS requests and CNAME usage | All Kerberos services |
However, the underlying CNAME manipulation capability remains unchanged. Security experts emphasize that Kerberos itself does not prevent relay attacks protection must be enforced at individual service levels.
Organizations must enforce SMB signing on all servers, mandate CBT for HTTP/HTTPS services, require LDAP signing with LDAPS CBT, harden DNS infrastructure, and monitor for unusual TGS requests.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.