Kerberos
Kerberos is the default authentication protocol for Windows domain environments; CVE-2026-47288 is an RCE flaw in the Kerberos Key Distribution Centre reaching domain controller authentication.
Last refreshed: 14 June 2026 · Appears in 1 active topic
Does CVE-2026-47288 let an attacker take over a Windows domain remotely?
Timeline for Kerberos
Carried CVE-2026-47288 KDC RCE patched in the June cycle
Cybersecurity: Threats and Defences: 200 fixes, six zero-days, late Exchange- What is Kerberos authentication and how does it work?
- Kerberos is a ticket-based authentication protocol used by Windows Active Directory and many enterprise systems. A Key Distribution Centre (KDC) issues time-limited cryptographic tickets after verifying credentials, letting users and services authenticate without sending passwords across the network.
- What is CVE-2026-47288 in the Windows Kerberos KDC?
- CVE-2026-47288 is a critical Remote Code Execution flaw in the Windows Kerberos Key Distribution Centre component, patched in June 2026. It allowed a remote attacker to execute code on a domain controller, the highest-privilege server in a Windows enterprise network.Source: event
- What is a Golden Ticket attack on Kerberos?
- A Golden Ticket attack forges a Kerberos Ticket-Granting Ticket (TGT) signed with the krbtgt account hash, giving the attacker persistent domain-wide access that survives password resets. It was first demonstrated by researcher Benjamin Delpy and remains a core post-exploitation technique in Windows environments.
- Can a Kerberos vulnerability affect Linux as well as Windows?
- Windows-specific KDC flaws like CVE-2026-47288 affect only the Microsoft implementation. Linux and macOS using MIT Kerberos or Samba run separate codebases. However, hybrid environments where a Windows KDC issues tickets for Linux clients mean a compromised Windows KDC can undermine cross-platform authentication.
Background
Kerberos is the default authentication protocol for Windows domain environments, designed at MIT in the 1980s and adopted by Microsoft for Active Directory from Windows 2000 onwards. It uses a trusted third party (the Key Distribution Centre, or KDC) running on domain controllers to issue time-limited cryptographic tickets that allow users and services to authenticate without transmitting passwords across the network. In June 2026 Microsoft patched CVE-2026-47288, a Remote Code Execution vulnerability in the Windows KDC component that reached domain controller authentication, one of the highest-value targets in any Windows enterprise network.
Kerberos vulnerabilities in Windows implementations have a long history: MS14-068 (2014) allowed any authenticated user to forge Kerberos tickets with domain administrator privileges, while the Golden Ticket and Silver Ticket techniques discovered by security researcher Benjamin Delpy remain active post-exploitation staples. The protocol's design means the KDC is inherently network-reachable from every domain-joined machine, so a Remote Code Execution flaw on the KDC has no requirement for physical access or a pre-existing foothold on the target server. Successful exploitation compromises the entire Windows domain.
Kerberos operates across platforms beyond Windows: Linux systems using Samba or MIT Kerberos, macOS in enterprise environments, and cross-realm trusts spanning cloud directories all rely on Kerberos or its derivative protocols. Windows-specific KDC flaws do not directly affect non-Windows KDC implementations, but the overlap matters for organisations running hybrid authentication environments where a Windows domain controller issues tickets consumed by Linux or macOS clients.