⚠️ Critical Kerberos Delegation Vulnerability Found in Active Directory
Discovered by Silverfort – Patched in Microsoft’s November 2025 Patch Tuesday

A new high-impact security flaw has been discovered in the Kerberos delegation mechanism used in Active Directory environments.
The research team at Silverfort identified a weakness that could enable attackers to perform a Man-in-the-Middle (MitM) attack and potentially escalate privileges by impersonating another user.

While Microsoft considers the attack path “complex,” the impact on real AD infrastructures is significant enough to require immediate attention.

What is the issue?

Kerberos relies on encrypted tickets to authenticate users and services in Active Directory.
However, Silverfort discovered that under specific delegation scenarios, an attacker who can intercept or manipulate Kerberos traffic may be able to:

hijack the delegation process

impersonate another user, including privileged accounts

escalate privileges inside the domain

This affects both constrained and unconstrained delegation configurations.

Why this attack matters

A successful exploitation would allow a threat actor to move laterally inside a Windows environment by masquerading as another authenticated user.
Even though the attack requires network access and technical expertise, history has shown that “complex” attacks often become automated once public research is released.

Silverfort will present more details at the next Black Hat conference.

Microsoft Patch Tuesday – November 2025

Microsoft has released a security update to address this flaw.
The patch strengthens delegation validation and blocks potential manipulation of Kerberos tickets during the delegation process.

Recommended:

Apply the November 2025 patch immediately, especially on:

Domain Controllers

Servers using Kerberos delegation

Service accounts configured for delegation

How to protect your environment

1. Audit delegation settings

Reduce use of unconstrained delegation

Avoid delegating privileges to highly privileged accounts

Review service accounts regularly

1. Monitor Kerberos activity

Watch for unusual behaviors such as:

abnormal TGT/TGS requests

unusual delegation or impersonation events

abnormal ticket lifetime or reuse

1. Harden AD against MITM

SMB signing

LDAP over TLS

Defender Credential Guard

Network segmentation

Final Thoughts

Kerberos is one of the most trusted pillars of Active Directory authentication.
This newly discovered flaw reminds us that even well-established security protocols can contain hidden weaknesses.

The best protection is straightforward:
patch early, audit often, and continuously monitor your AD environment.

cybersecurity #active-directory #kerberos #infosec