Your IT team’s sweating bullets right now, because CVE-2026-20929 just exposed how easy it is for attackers to snag certificates from Active Directory Certificate Services using nothing fancier than a twisted DNS CNAME record.
Real people? That’s you, the sysadmin patching servers at 2 a.m., or the CISO explaining to the board why a breach lasted months. Certificates don’t expire fast—they’re golden tickets for persistent hacks. And this one’s patched in January 2026’s Patch Tuesday, but if you’re late, you’re toast.
Look, I’ve covered these Active Directory messes for two decades. Kerberos was supposed to be the unbreakable chain in Microsoft’s empire. Ha. Attackers keep finding the weak links, relaying auth like it’s 1999 all over again.
Why CVE-2026-20929 Screws Over Even ‘Secure’ Networks
Short answer: it bypasses NTLM blocks. You’ve disabled NTLM everywhere? Good for you. Doesn’t matter. This Kerberos relay via CNAME abuse hits the AD CS web enrollment endpoint— that /certsrv page many orgs still run over plain HTTP internally (yes, in 2026).
Here’s the flow, brutally simple. Victim hits a fake web server. DNS query for web01.test.local? Attacker slips in a CNAME to CA01.test.local plus an A record to their rig. Boom—Kerberos ticket gets requested for the wrong SPN, relayed straight to AD CS. Certificate issued in victim’s name. Persistent access, baby.
CrowdStrike nailed the detection: watch for weird certificate auth right after odd AD CS hits. They call it correlation-based—smart, but let’s be real, it’s just finally connecting dots everyone ignored.
CrowdStrike has developed a correlation-based detection that identifies this specific attack pattern by monitoring for anomalous certificate-based authentication combined with unusual AD CS service access within a short time window.
That’s their words. Solid. But who profits? CrowdStrike, sure—their Falcon sensor lights up. Microsoft? Patches mean headlines they spin as ‘proactive.’ You? Hopefully safer, if you apply it.
And HTTP for cert enrollment? Come on. No TLS channel binding there. CBT kills relays on HTTPS—derives a token from the server’s cert, checks if auth matches the channel. HTTP? No dice. Lazy configs from the ’90s haunting us.
How Does This Kerberos Relay Even Work?
Kerberos basics: client grabs a ticket for a Service Principal Name. SPN ties to the service. DNS resolves the hostname first. Attackers poison that with CNAME—redirects the SPN resolution without changing the client’s request.
Builds on old research. 2021: folks showed SPN control via protocols. 2022: mitm6 for DNS relay to AD CS. SpecterOps’ ESC8? NTLM relay to same spot. This? Kerberos upgrade for NTLM-phobic shops.
One sentence. Terrifying.
It works because Kerberos trusts DNS blindly here—no canonicalization checks pre-patch. Client requests ticket for attacker’s CNAME’d SPN, relays to real CA. Cert drops.
Persistent. One-year validity, often more. Less logging than logons. Perfect for nation-states or ransomware crews camping out.
But here’s my take—no one else mentions it—this echoes the 2014 DNS rebinding bugs in browsers, but enterprise-flavored. Back then, we laughed at web devs. Now? Core directory services. Microsoft finally patches, but will they force HTTPS enrollment defaults? Doubt it. Too many legacy setups they’d break.
Is Your AD CS a Relay Magnet?
Check. Web enrollment on? HTTP? You’re vulnerable. ESC8 was NTLM; this is Kerberos. Both hit /certsrv.
Why AD CS? Certs = auth forever. No password sprays needed post-enroll. Machines, users—anyone coerced authenticates.
Coercion? Printer bugs, PetitPotam, whatever. Victim machine auths to attacker’s box. Relay flows.
CrowdStrike’s rule: anomalous cert auth + AD CS access in tight window. Implement it. Or buy theirs.
Cynical? Yeah. Vendors hype detections while root causes fester. Disable web enrollment if you can—use RPC or MMC. Enforce HTTPS everywhere. Enable CBT. But most won’t—too disruptive.
Historical parallel: Remember EternalBlue? SMB relay roots. Patched, but WannaCry rode it. This could be CVE-2026’s gift to ransomware. Bold prediction: we’ll see exploits in the wild by summer, targeting unpatched Patch Tuesday laggards.
Detecting and Dodging CVE-2026-20929
Patch first—KB whatever from Jan 2026. Then monitor.
SIEM queries: Event ID 4769 (Kerberos service ticket) with odd SPNs, paired with 4624 logons via certs, near AD CS events (like 4886-4888 for cert requests).
Tools? Krbrelayx evolved, probably. Mitm6 for DHCPv6 spoof. Block it at network: filter rogue DHCP, DNS.
Long para time. Organizations still lean on AD CS because certs beat passwords for auth—PKI’s promise. But web interfaces? Shackled to browsers that accept NTLM or Kerberos without question. Add CNAME abuse—Kerberos’s DNS lookup flaw—and you’ve got a recipe for compromise that laughs at ‘modern’ protections like LAPS or protected users. I’ve seen teams spend millions on EDR, yet leave cert services wide open. Why? ‘It works.’ Until it doesn’t. And when certificates for domain admins get relayed? Game over. Lateral movement unchecked, persistence baked in. CrowdStrike’s correlation helps, but it’s reactive—true fix is ripping out HTTP endpoints, enforcing strict SPN canonicalization everywhere. Won’t happen overnight. Meanwhile, attackers adapt.
Two words: Patch. Now.
🧬 Related Insights
- Read more: 1,500 WhatsApp Engineers Had Unrestricted Access to User Data, Whistleblower Alleges
- Read more:
Frequently Asked Questions
What is CVE-2026-20929?
CVSS 7.5 bug letting Kerberos relay via DNS CNAME to AD CS for certificate theft. Patched Jan 2026.
How to detect Kerberos relay to AD CS?
Correlate cert auth events with AD CS access in short windows—CrowdStrike style. Watch SPN anomalies.
Does CVE-2026-20929 affect Kerberos-only environments?
Yes—bypasses NTLM blocks, targets web enrollment even on HTTPS if misconfig’d, but HTTP’s worst.
