CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse. This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed...
This analysis of CVE-2026-20929 highlights a sophisticated evolution in Kerberos relay attacks, leveraging DNS manipulation to bypass traditional security assumptions. The strongest version of this narrative emphasizes the vulnerability’s novelty—using CNAME records to control SPN resolution—and its real-world impact, particularly in environments where NTLM is disabled but AD CS remains exposed. The source deserves credit for contextualizing the attack within prior research (e.g., ESC8, mitm6) a...