Skip to content
Chimera readability score 0.628 out of 100, reading level.

CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse. This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed in recent research.
CrowdStrike has developed a correlation-based detection that identifies this specific attack pattern by monitoring for anomalous certificate-based authentication combined with unusual AD CS service access within a short time window.
Related Research and Context
CVE-2026-20929 represents a sophisticated attack vector that exploits the interaction between DNS CNAME records and Kerberos Service Principal Name (SPN) resolution. While this vulnerability can be exploited against various services, this blog focuses on one particularly dangerous attack vector: relaying Kerberos authentication to AD CS servers to enroll certificates for user accounts, providing persistent access that can last months or years.
Understanding CVE-2026-20929 requires context from prior Kerberos relay research:
Kerberos Relay Fundamentals: In 2021, a security researcher demonstrated that Kerberos authentication can be relayed if an attacker can control the SPN used by a client. This research explored multiple techniques for influencing SPN selection across various protocols, challenging the assumption that Kerberos was inherently relay-proof.
DNS-Based Kerberos Relay: In 2022, a security researcher demonstrated practical Kerberos relay techniques using mitm6 to relay DNS authentication to AD CS endpoints. His work showed how DHCPv6 spoofing combined with DNS manipulation could enable Kerberos relay attacks and resulted in the krbrelayx tool.
AD CS Attack Vectors: The SpecterOps research team's "Certified Pre-Owned" work documented AD CS exploitation techniques, including ESC8 (relay to AD CS HTTP endpoints), establishing the foundation for understanding certificate-based attacks in Active Directory.
Understanding ESC8: NTLM Relay to AD CS HTTP Endpoints
Before diving into the Kerberos variant, it's important to understand the foundational attack: ESC8, documented in the SpecterOps "Certified Pre-Owned" research.
ESC8 Attack Overview
AD CS provides a web-based enrollment interface (accessible via the /certsrv endpoint) that allows users and computers to request certificates through a browser. This "Certification Authority Web Enrollment" component accepts both NTLM and Kerberos authentication. The ESC8 attack exploits this interface through NTLM relay:
- The attacker coerces a victim (often a machine account or privileged user) to authenticate to an attacker-controlled server
- The attacker relays the NTLM authentication to the AD CS web enrollment endpoint (/certsrv)
- AD CS accepts the relayed authentication and issues a certificate in the victim's name
- The attacker uses the certificate for persistent authentication as the victim
CVE-2026-20929 (Kerberos-Based ESC8)
- Uses Kerberos relay instead of NTLM
- Exploits CNAME-based SPN manipulation to control which service ticket the client requests
- Enables relay even in environments that have disabled NTLM
- Targets the same AD CS web enrollment endpoint (/certsrv)
How Channel Binding Token (CBT) Protection Works
- A channel binding token is derived from the server's TLS certificate
- This token is cryptographically bound to the authentication
- The server verifies the authentication came through its specific TLS channel
- If an attacker relays authentication to a different server (with a different certificate), the channel binding won't match and authentication fails
Why AD CS Web Enrollment Is an Attractive Relay Target
AD CS web enrollment represents a particularly attractive target for Kerberos relay attacks for several reasons:
- Many organizations still deploy web enrollment over HTTP for internal use; this prevents CBT protection
- Certificates provide persistent authentication (typically valid for 1+ years)
- Certificates are often less monitored than password-based authentication
Vulnerability Technical Analysis
CVE-2026-20929 exploits how Kerberos handles Service Principal Names during the DNS resolution process that precedes authentication.
DNS Manipulation Mechanism
Before a client can authenticate to a service, it must resolve the service hostname to an IP address via DNS. Attackers can manipulate this resolution step by crafting DNS responses that contain both:
- A CNAME record redirecting the requested hostname to a different target
- An A record in the same response providing the IP address for that target
Attack Flow
- The victim tries to access a web server (web01.test.local)
- A DNS query is sent to resolve web01.test.local
- The attacker intercepts the request and responds with the CNAME CA01.test.local and the A record that points to the attacker-controlled IP address
- The victim accesses the attacker-controlled web server
- The malicious web server replies with a 401 and requests Kerberos authentication
- The victim requests a Service ticket for HTTP/CA1.test.local from the DC
- The DC responds with the Service ticket
- The victim sends the HTTP/CA1.test.local service ticket to the malicious server
- The attacker uses the TGS to authenticate the AD CS server and enroll a certificate for the victim

Facts Only

CVE-2026-20929 is a vulnerability with a CVSS score of 7.5, patched in January 2026.
The vulnerability enables Kerberos authentication relay through DNS CNAME record abuse.
Attackers can exploit this to relay authentication to Active Directory Certificate Services (AD CS).
The attack allows enrollment of certificates for user accounts, providing persistent access.
CrowdStrike developed a detection method based on anomalous certificate authentication and AD CS service access.
Prior research includes Kerberos relay techniques demonstrated in 2021 and DNS-based methods in 2022.
The ESC8 attack, documented by SpecterOps, involves NTLM relay to AD CS HTTP endpoints.
CVE-2026-20929 uses Kerberos relay instead of NTLM, targeting the same AD CS web enrollment endpoint.
Channel Binding Token (CBT) protection can prevent relay attacks but is ineffective if AD CS uses HTTP.
The attack flow involves DNS manipulation, intercepting queries, and redirecting victims to attacker-controlled servers.
The victim’s Kerberos service ticket is then relayed to AD CS to enroll a certificate.
Certificates provide long-term authentication, often valid for 1+ years, and are less monitored than password-based methods.

Executive Summary

CVE-2026-20929 is a high-severity vulnerability (CVSS 7.5) patched in January 2026 that enables Kerberos authentication relay attacks via DNS CNAME record abuse. The attack exploits how Kerberos resolves Service Principal Names (SPNs) during DNS queries, allowing attackers to manipulate authentication requests to target services like Active Directory Certificate Services (AD CS). By relaying authentication to AD CS, attackers can enroll certificates for user accounts, granting persistent access that may last months or years. This technique builds on prior research, including NTLM relay attacks (ESC8) and DNS-based Kerberos relay methods, but operates even in environments where NTLM is disabled. The vulnerability is particularly dangerous because AD CS web enrollment endpoints often lack Channel Binding Token (CBT) protection when using HTTP, making them vulnerable to relay attacks. Detection methods focus on correlating anomalous certificate-based authentication with unusual AD CS service access within short timeframes.
The attack flow involves intercepting DNS queries, redirecting them via CNAME records to attacker-controlled servers, and then relaying the victim’s Kerberos service ticket to AD CS to enroll a certificate. This method leverages the trust placed in Kerberos authentication and the long-term validity of certificates, which are often less monitored than traditional password-based authentication. The vulnerability underscores the ongoing challenges in securing Kerberos and the risks posed by legacy configurations in Active Directory environments.

Full Take

This analysis of CVE-2026-20929 highlights a sophisticated evolution in Kerberos relay attacks, leveraging DNS manipulation to bypass traditional security assumptions. The strongest version of this narrative emphasizes the vulnerability’s novelty—using CNAME records to control SPN resolution—and its real-world impact, particularly in environments where NTLM is disabled but AD CS remains exposed. The source deserves credit for contextualizing the attack within prior research (e.g., ESC8, mitm6) and clarifying why AD CS is a high-value target: persistent access, weak monitoring, and HTTP-based enrollment endpoints that nullify CBT protections.
Pattern scan: The narrative avoids emotional exploitation or distortion, focusing on technical precision. However, it subtly frames the vulnerability as an inevitable escalation in attack techniques, which could imply a deterministic view of cybersecurity threats. This aligns with **ARC-0012 Deterministic Threat Framing**, where complex systems are portrayed as inherently vulnerable without sufficient emphasis on mitigating factors like network segmentation or certificate lifecycle management.
Root cause: The paradigm here is the tension between legacy protocols (Kerberos, DNS) and modern security assumptions. The unstated assumption is that organizations will struggle to retire HTTP-based AD CS endpoints or implement CBT universally, leaving them perpetually exposed to relay attacks. This echoes historical patterns of "defense in depth" failures, where single points of failure (e.g., DNS trust) undermine layered security.
Implications: Human agency is both the problem and the solution. Administrators bear the cost of patching, monitoring, and reconfiguring AD CS, while attackers gain asymmetric advantages from persistent certificate-based access. Second-order consequences include increased reliance on certificate revocation and monitoring, which many organizations lack the resources to implement effectively.
Bridge questions: How might organizations balance the operational need for HTTP-based AD CS enrollment with the security risks highlighted here? What alternative authentication mechanisms could reduce reliance on Kerberos in high-risk scenarios? Would a shift to short-lived certificates mitigate the persistence advantage of this attack?
Counterstrike scan: A coordinated influence campaign exploiting this narrative might amplify fear around Kerberos vulnerabilities to push vendor-specific solutions (e.g., "only our detection tool can stop this"). However, the content here remains technical and solution-agnostic, focusing on detection methods rather than fear-mongering. No structural alignment with manipulation patterns is detected.

Sentinel — Human

Confidence

This text appears likely to be written by a human journalist based on its stylistic signals, coherence, and coordination with multiple sources.

Signals Detected
low severity: Sentence length variance is within human-typical range
low severity: Text provides a clear narrative with relevant context and background information
low severity: The article references multiple sources, including CrowdStrike, security researchers, and the SpecterOps research team
Human Indicators
The article provides a clear narrative with idiosyncratic emphasis on relevant context and background information
The text includes references to multiple sources, demonstrating a thorough understanding of the topic