Two separate Windows authentication weaknesses were highlighted as enabling high-impact Active Directory compromise via relay-style attacks. One issue, CVE-2025-33073, affects Windows SMB client authentication and enables NTLM reflection: attackers can coerce lsass.exe (running as SYSTEM) to authenticate to attacker-controlled infrastructure using techniques such as PetitPotam, DFSCoerce, and Printerbug, then relay/reflect that authentication to gain SYSTEM-level access and potentially full domain compromise. Reporting emphasized that despite a June 2025 patch, the condition remains widely present in enterprise environments due to incomplete patch adoption, and exploitation can be enabled with relatively low prerequisites such as the ability to register a malicious AD DNS record (often permitted to Authenticated Users by default) or to perform local DNS poisoning.
A second technique described a Kerberos relay vector that abuses how Windows clients process DNS CNAME responses when building the SPN for TGS requests, allowing an on-path attacker (e.g., via ARP poisoning or DHCPv6/mitm6) to redirect victims to attacker-controlled services and obtain service tickets usable for relays and lateral movement. The write-up claims default configurations across Windows 10/11 and Windows Server 2022/2025 are susceptible, with potential impact including cross-protocol relays (e.g., HTTP→SMB/LDAP) and paths to RCE in some environments (e.g., via ADCS web enrollment scenarios). A separate Metasploit weekly wrap-up noted new and updated offensive modules (including AD privilege-escalation content), but it did not specifically tie to either of the two relay issues above.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
A public proof-of-concept was released for CVE-2026-24294, an NTLM reflection bypass flaw affecting Windows Server 2025 that can yield SYSTEM-level access by relaying coerced NTLM authentication via SMB on a non-standard TCP port. The issue was described as bypassing Microsoft's earlier mitigation for CVE-2025-33073 and was demonstrated with modified coercion tooling and Impacket-based relay techniques.
A public write-up described how many enterprises remained unpatched months after the June 2025 fix for CVE-2025-33073, leaving systems exposed to NTLM reflection, coercion, and cross-protocol relay attacks affecting services such as LDAPS, ADCS, MSSQL, and WinRM.
Researchers disclosed technical details for a Kerberos relay attack that abuses malicious DNS CNAME responses during TGS requests, and released a modified mitm6 proof-of-concept with CNAME poisoning support. The attack was reported to work against default Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025 configurations when anti-relay controls are absent.
Microsoft shipped January 2026 patches for CVE-2026-20929, adding Channel Binding Token support for HTTP.sys to mitigate part of the Kerberos relay attack chain. The underlying DNS CNAME coercion behavior was reported to remain for other protocols.
Researchers reported a Windows Kerberos weakness involving DNS CNAME-based service principal name manipulation to Microsoft. The disclosure reportedly occurred in October 2025.
Microsoft released June 2025 Windows updates for CVE-2025-33073, an SMB client vulnerability enabling NTLM reflection and relay attacks that can lead to privilege escalation and potential Active Directory compromise.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecybersecuritynews.com
Open sourcecybersecuritynews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.