DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20833: The Undying Zombie: Windows Kerberos RC4 Disclosure

#security #cve #cybersecurity

The Undying Zombie: Windows Kerberos RC4 Disclosure

Vulnerability ID: CVE-2026-20833
CVSS Score: 5.5
Published: 2026-01-13

CVE-2026-20833 exposes a fundamental weakness in how Windows handles legacy cryptography within the Kerberos authentication protocol. Despite years of warnings, the Key Distribution Center (KDC) continued to entertain requests for RC4-HMAC encryption, a cipher from 1987 that is cryptographically broken. This vulnerability allows local attackers to downgrade authentication exchanges to this weak cipher, facilitating trivial brute-force attacks and information disclosure. It is less of a 'bug' in the code and more of a 'bug' in decision-making that prioritized backward compatibility over security.

TL;DR

Windows Kerberos is still speaking RC4, a broken cipher from the 80s. Local attackers can force the KDC to issue RC4-encrypted tickets, allowing for easy offline cracking (Kerberoasting) and information disclosure. Microsoft has finally added registry enforcement to kill it.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-327
  • Attack Vector: Local (AV:L)
  • CVSS Score: 5.5 (Medium)
  • EPSS Score: 0.02%
  • Impact: High Confidentiality
  • Encryption Type: RC4-HMAC (etype 23)
  • Fix Type: Registry Enforcement

Affected Systems

  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 SP1
  • Windows Server 2008 SP2
  • Windows Server 2025: < 10.0.26100.32230 (Fixed in: 10.0.26100.32230)
  • Windows Server 2022: < 10.0.20348.4648 (Fixed in: 10.0.20348.4648)
  • Windows Server 2019: < 10.0.17763.8276 (Fixed in: 10.0.17763.8276)

Exploit Details

  • Rubeus: Tool capable of requesting specific etypes (RC4) for Kerberoasting.
  • Mimikatz: Capable of extracting and manipulating Kerberos tickets.

Mitigation Strategies

  • Disable RC4-HMAC support globally via Group Policy.
  • Configure 'Network security: Configure encryption types allowed for Kerberos' to allow only AES-128 and AES-256.
  • Set the 'KdcForceAES' registry key on Domain Controllers.

Remediation Steps:

  1. Apply Microsoft Patch KB5073381 to all Domain Controllers.
  2. Enable 'KdcAuditRc4Usage' registry value to 1 to log RC4 usage (Event ID 33).
  3. Identify and update legacy clients/services relying on RC4.
  4. Change registry to 'KdcForceAES' (value 1) to block RC4 issuance.
  5. Verify 'msDS-SupportedEncryptionTypes' attribute on service accounts excludes RC4.

References

Read the full report for CVE-2026-20833 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)