CVE-2025-60704: CVE-2025-60704: Elevation of Privilege via Missing Cryptographic Step in Windows Kerberos S4U (CheckSum)

CVE-2025-60704: Elevation of Privilege via Missing Cryptographic Step in Windows Kerberos S4U (CheckSum)

Vulnerability ID: CVE-2025-60704
CVSS Score: 7.5
Published: 2025-11-11

CVE-2025-60704 is a critical elevation of privilege vulnerability in the Windows Kerberos authentication protocol. The flaw resides in the handling of Service for User (S4U) extensions, specifically within the protocol transition logic. A missing cryptographic step allows attackers to bypass checksum validation in the PA-S4U-X509-USER structure, leading to unauthorized identity impersonation and domain compromise.

TL;DR

A flaw in Windows Kerberos KDC allows attackers to bypass keyed checksum validation in S4U2self requests. By downgrading the checksum, an attacker can forge a user identity and obtain service tickets, leading to privilege escalation in environments using Constrained Delegation.

---

Technical Details

• CWE ID: CWE-325: Missing Cryptographic Step
• Attack Vector: Network (AV:N)
• CVSS v3.1 Score: 7.5 (High)
• EPSS Score: 0.00045 (13.79%)
• Impact: Elevation of Privilege / Identity Impersonation
• Exploit Status: None (No public PoC)
• KEV Status: Not Listed
• Affected Component: Kerberos KDC (PA-S4U-X509-USER)

Affected Systems

• Windows 10 (1607, 1809, 21H2, 22H2)
• Windows 11 (22H2, 23H2, 24H2, 25H2)
• Windows Server 2008 R2
• Windows Server 2012 / 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
• Windows 10: 1607, 1809, 21H2, 22H2 (Fixed in: Nov 2025 Updates)
• Windows 11: 22H2, 23H2, 24H2, 25H2 (Fixed in: Nov 2025 Updates)
• Windows Server: 2008 R2, 2012, 2016, 2019, 2022, 2025 (Fixed in: Nov 2025 Updates)

Mitigation Strategies

• Apply the November 2025 Cumulative Update to all Domain Controllers.
• Audit Active Directory for accounts utilizing Protocol Transition (TrustedToAuthForDelegation).
• Review and restrict Constrained Delegation configurations (msDS-AllowedToDelegateTo).
• Implement monitoring for anomalous TGS-REQ events (Event ID 4769) and downgraded Kerberos encryption types.

Remediation Steps:

1. Identify all Domain Controllers within the Active Directory forest.
2. Download and install the appropriate November 11, 2025, Cumulative Update for the respective Windows Server versions.
3. Reboot the Domain Controllers to apply the KDC updates.
4. Execute an Active Directory audit script to list all accounts with the 'TrustedToAuthForDelegation' flag set.
5. Evaluate the business requirement for each identified account and remove the flag where it is not strictly necessary.

References

• MSRC Advisory - CVE-2025-60704
• Silverfort Research Blog - You win some, you CheckSum
• SentinelOne Vulnerability Database - CVE-2025-60704
• Silverfort Whitepaper - Validation Flaws in Windows Kerberos S4U

---

Read the full report for CVE-2025-60704 on our website for more details including interactive diagrams and full exploit analysis.