{"id":9972,"date":"2026-01-19T10:03:35","date_gmt":"2026-01-19T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/19\/new-kerberos-relay-attack-uses-dns-cname-to-bypass-mitigations-poc-released\/"},"modified":"2026-01-19T10:03:35","modified_gmt":"2026-01-19T10:03:35","slug":"new-kerberos-relay-attack-uses-dns-cname-to-bypass-mitigations-poc-released","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/19\/new-kerberos-relay-attack-uses-dns-cname-to-bypass-mitigations-poc-released\/","title":{"rendered":"New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations \u2013 PoC Released"},"content":{"rendered":"

New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations \u2013 PoC Released
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical flaw in Windows Kerberos<\/a> authentication that significantly expands the attack surface for credential relay attacks in Active Directory environments.<\/p>\n

By abusing how Windows clients handle DNS CNAME responses during Kerberos service ticket requests, attackers can coerce systems into requesting tickets for attacker-controlled services, bypassing traditional protections.<\/p>\n

\"Abuse
Abuse\u00a0flow\u00a0chart (Source: Cymulate)<\/figcaption><\/figure>\n

The Attack Vector<\/strong><\/h2>\n

The vulnerability centers on a fundamental behavior: when a Windows client receives a DNS CNAME record<\/a>, it follows the alias. It constructs the Ticket Granting Service (TGS) request using the CNAME hostname as the Service Principal Name (SPN).<\/p>\n

An attacker positioned on-path to intercept DNS traffic can exploit this to force victims into requesting service tickets for attacker-chosen targets.<\/p>\n

The technique requires an attacker to establish DNS man-in-the-middle<\/a> capabilities through ARP poisoning, DHCPv6 poisoning (MITM6), or similar methods.<\/p>\n

\"The
The victim is redirected to the attacker\u2019s server, which responds with 401 to force Kerberos authentication. (Source: Cymulate)<\/p>\n<\/figcaption><\/figure>\n

When a victim attempts to access a legitimate domain asset, the malicious DNS server responds with a CNAME record pointing to an attacker-controlled hostname, along with an A record resolving to the attacker\u2019s IP address.<\/p>\n

This causes the victim to authenticate against the attacker\u2019s infrastructure using a ticket intended for the attacker\u2019s target service.<\/p>\n

Attack Capabilities and Impact<\/strong>:<\/p>\n

\n\n\n\n\n\n\n\n\n
Impact Area<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
RCE<\/strong><\/td>\nRemote code execution via ADCS Web Enrollment (ESC8)<\/td>\n<\/tr>\n
Relay Attacks<\/strong><\/td>\nCross-protocol relays (HTTP\u2192SMB, HTTP\u2192LDAP)<\/td>\n<\/tr>\n
Lateral Movement<\/strong><\/td>\nUnauthorized access and network spread<\/td>\n<\/tr>\n
Impersonation<\/strong><\/td>\nUser impersonation without passwords<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Testing confirmed exploitation works on default configurations across Windows 10, Windows 11<\/a>, Windows Server 2022, and Windows Server 2025.<\/p>\n

The attack succeeds against unprotected services, including SMB, HTTP, and LDAP, when signing or Channel Binding Tokens (CBT) are not enforced. The vulnerability was responsibly disclosed to Microsoft in October 2025.<\/p>\n

\"DNS
DNS poisoning redirects the victim to a malicious target, forcing a Kerberos TGS request. (Source: Cymulate)<\/figcaption><\/figure>\n

In response, Microsoft implemented CBT support for HTTP.sys. It released patches across supported Windows Server versions in January 2026 security updates, tracked as CVE-2026-20929<\/a>.<\/p>\n

However, this mitigation only addresses HTTP relay scenarios. The underlying DNS CNAME coercion primitive remains unchanged, leaving other protocols vulnerable.<\/p>\n

Proof of Concept<\/strong><\/h2>\n

Researchers released a modified version of the MITM6 tool on GitHub<\/a> with CNAME poisoning capabilities. The tool supports targeted CNAME poisoning against specific domains or all DNS queries.<\/p>\n

Includes DNS-only mode for ARP poisoning integration, and enables passthrough for critical infrastructure connectivity. Exploitation requires Python 3.x and a Linux<\/a> operating system.<\/p>\n

\"A
A record for\u00a0adcs-server.mycorp.local\u00a0pointing to the attacker\u2019s IP\u00a0 (Source: Cymulate)<\/figcaption><\/figure>\n

Cymulate Research Labs advises<\/a> organizations to implement layered defenses:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
Security Layer<\/th>\nRecommended Control<\/th>\nPurpose<\/th>\n<\/tr>\n<\/thead>\n
SMB Security<\/td>\nEnforce SMB signing on all servers beyond domain controllers<\/td>\nPrevents SMB relay and man-in-the-middle attacks<\/td>\n<\/tr>\n
Directory Services<\/td>\nRequire LDAP signing and enforce LDAPS Channel Binding Tokens (CBT) where supported<\/td>\nProtects against LDAP relay and credential interception<\/td>\n<\/tr>\n
Web Services<\/td>\nMandate HTTPS with CBT for all internal HTTP services<\/td>\nMitigates NTLM relay attacks over HTTP<\/td>\n<\/tr>\n
DNS Infrastructure<\/td>\nHarden DNS servers and consider DNS over HTTPS (DoH)<\/td>\nReduces DNS spoofing and traffic manipulation risks<\/td>\n<\/tr>\n
Kerberos Monitoring<\/td>\nMonitor anomalous TGS requests targeting unusual SPNs<\/td>\nDetects potential Kerberos abuse or lateral movement<\/td>\n<\/tr>\n
Threat Detection<\/td>\nAlert on cross-protocol authentication patterns<\/td>\nIdentifies NTLM\/Kerberos relay and protocol abuse attempts<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The research underscores a critical security reality: Kerberos itself does not inherently prevent relay attacks.\u00a0 Enforcement of protection lies at the service level.<\/p>\n

\"After
After DNS poisoning, the victim connects to the attacker\u2019s rogue HTTP or SMB server.(Source: Cymulate)<\/figcaption><\/figure>\n

Disabling NTLM alone is insufficient; organizations must explicitly enforce anti-relay protections across every Kerberos-enabled service to eliminate relay risk effectively.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations \u2013 PoC Released<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations \u2013 PoC Released A critical flaw in Windows Kerberos authentication that significantly expands the attack surface for credential relay attacks in Active Directory environments. By abusing how Windows clients handle DNS CNAME responses during Kerberos service ticket requests, attackers can coerce systems into requesting tickets […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648,395],"tags":[130],"class_list":["post-9972","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9972"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9972"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9972\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}