A dangerous flaw uncovered in Windows environments handle Kerberos service ticket requests, that significantly expands the practical attack surface for Kerberos relaying in Active Directory environments. Proof of concept released (PoC).

First lets understand about Reflective Kerberos Relay Attack

The Reflective Kerberos Relay Attack is a privilege escalation technique targeting Windows environments. Discovered in early 2025.

The method bypasses Microsoft’s long-standing NTLM reflection protections by leveraging Kerberos authentication instead. The core idea is deceptively simple: relay a Kerberos ticket back to the machine that issued it, resulting in NT AUTHORITY\SYSTEM privileges.

This attack form was discovered by RedTeam Pentesting, a cybersecurity research group based in Germany. Their team identified the loophole during relay attack research and reported it to Microsoft in January 2025.

Where does actual Reflective Kerberos Relay attack takes place

The attack targets Windows hosts in Active Directory environments. It specifically requires:

Misconfigurations like lack of enforced SMB signing

SMB (Server Message Block) to be available

Coercion mechanisms (e.g., via DCERPC) to force authentication

The DNS CNAME Based Kerberos Relay Attack

Researchers from Cymulate Labs uncovered how a dangerous flaw in Windows environments handle Kerberos service ticket requests via authentication that significantly expands the attack surface for credential relay attacks in Active Directory environments.

The Attack flow

An attacker positioned on-path to intercept DNS traffic can exploit this to force victims into requesting service tickets for attacker-chosen targets.

By abusing the interaction between Kerberos TGS requests and DNS CNAME resolution, this technique allows an attacker positioned on-path to coerce Windows clients into requesting user service tickets for attacker-chosen Service Principal Names. 

These tickets can then be relayed across protocols such as SMB and HTTP in environments where signing or Channel Binding Tokens (CBT) are not enforced, enabling user impersonation without ever knowing the victim’s password. 

The technique requires an attacker to establish DNS  capabilities through ARP poisoning, DHCPv6 poisoning (MITM6), or similar methods.

Threat Mitigation- Kerberos CNAME

Mitigation for this exposure is achieved by enforcing Channel Binding Token and signing on all services where current environment constraints allow, and by applying the latest Microsoft Windows security updates.

To test and validate resilience against attacks targeting this weakness, Cymulate Exposure Validation has been updated with new attack scenarios to simulate how attackers discover vulnerable targets and execute an exploit. These attack scenarios include:

• Scan for Relayable Windows Authentication Services (Missing Signing or CBT)
• Kerberos CNAME Abuse Relay Using MITM6 to AD CS (ESC8)
• Kerberos CNAME Abuse Relay – Enumerate And Relay

Key findings & Impact as PoC released on Relay Attack

This research was responsibly disclosed to Microsoft in October 2025. Microsoft confirmed the reported behavior and acknowledged that Windows Kerberos clients will follow DNS CNAME responses when constructing Service Principal Names (SPNs) for Ticket Granting Service (TGS) requests. 

Kerberos relay of user accounts that expands the attack surface and unauthenticated user impersonation and unauthorized protocol access. Depending on the target protocol this could result in: 

1.Remote code execution 

2.Lateral movement and privilege escalation  

3. Unauthorized access to systems and applications. 

Researchers at Cymulate explained under what condition the attacker must be able to intercept or modify DNS traffic from the victim. Achievable network conditions include but are not limited to ARP poisoning, DHCPv4/DHCPv6 poisoning or other MITM techniques. 

The target service must accept Kerberos authentication without mandatory signing or CBT enforcement. Services tested that are vulnerable include SMB and HTTP when signing or CBT are not enforced. 

Results can vary depending on potential target

Remote code execution 

Lateral movement and privilege escalation 

Unauthorized access to systems and applications

Researchers released a modified version of the MITM6 tool on GitHub with CNAME poisoning capabilities. The tool supports targeted CNAME poisoning against specific domains or all DNS queries.

Includes DNS-only mode for ARP poisoning integration, and enables passthrough for critical infrastructure connectivity. Exploitation requires Python 3.x and a Linux operating system.

Sources: Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITY\SYSTEM Privilege Escalation

Sources: New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations – PoC Released