CVE-2026-20929 is a significant vulnerability that facilitates Kerberos authentication relay through the exploitation of DNS CNAME record abuse. This flaw allows attackers to manipulate Service Principal Name (SPN) resolution, effectively bypassing protections that previously made Kerberos relay difficult. By redirecting DNS queries, an adversary can coerce a client into requesting service tickets for an unintended target, such as Active Directory Certificate Services (AD CS).
The primary impact of this vulnerability is the ability to perform a Kerberos-based ESC8 attack, where authentication is relayed to AD CS web enrollment endpoints to obtain certificates for persistent access. Unlike NTLM-based relay, this method functions in environments where NTLM is disabled and can bypass certain configurations if Channel Binding Token (CBT) protections are not strictly enforced. Security teams are advised to monitor for anomalous certificate-based authentication and unusual AD CS service access patterns to detect these sophisticated relays.
Top comments (0)