Black Hat Europe 2025 | You Win Some, You CheckSum: A Kerberos Delegation Vulnerability

In Active Directory networks, user identity impersonation is commonly used when applications need to access network resources on behalf of the user. One of the safest ways to implement this is through Kerberos Constrained Delegation (KCD), which enforces trust boundaries between the application and the target services. In this talk, we'll dive into the internals of the authentication process behind these mechanisms and present CVE-2025-60704: a logical vulnerability we discovered in Microsoft's Kerberos implementation. Using Machine-in-the-Middle technique, this flaw allowed us to impersonate arbitrary users and ultimately gain control over the entire domain. To understand how the vulnerability works, we'll walk through protocol behavior, trust assumptions, and some light reverse engineering of Windows internals that helped us trace the flaw down to its root. Finally, we'll discuss mitigation strategies and how to better protect environments relying on Kerberos delegation. By: Eliran Partush | Security Researcher, Silverfort Dor Segal | Security Research Team Lead, Silverfort https://ift.tt/jG2l19v

source https://www.youtube.com/watch?v=G_Q75jocldo