CVE-2025-60704 Overview
CVE-2025-60704 is a privilege escalation vulnerability in Microsoft Windows Kerberos caused by a missing cryptographic step. This flaw allows an unauthorized attacker to elevate privileges over a network, potentially gaining unauthorized access to protected resources within an Active Directory environment.
Critical Impact
An unauthenticated attacker can exploit this cryptographic weakness in Kerberos authentication to escalate privileges across the network, potentially compromising domain resources and user accounts.
Affected Products
- Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 23H2, 24H2, 25H2)
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1
- Microsoft Windows Server 2012, 2012 R2
- Microsoft Windows Server 2016, 2019
- Microsoft Windows Server 2022, 2022 23H2
- Microsoft Windows Server 2025
Discovery Timeline
- November 11, 2025 - CVE-2025-60704 published to NVD
- November 17, 2025 - Last updated in NVD database
Technical Details for CVE-2025-60704
Vulnerability Analysis
This vulnerability stems from a missing cryptographic step in the Windows Kerberos authentication protocol implementation. Kerberos relies on a series of cryptographic operations to ensure the authenticity and integrity of authentication tickets. When one of these cryptographic steps is omitted, it creates a weakness that can be exploited to forge or manipulate authentication tokens.
The attack requires network access to the target environment and some user interaction, making it a targeted attack vector rather than an opportunistic one. However, once exploited, the attacker can achieve high impact across confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause is classified as CWE-325: Missing Required Cryptographic Step. In the context of Kerberos authentication, this means that a critical cryptographic validation or transformation is not being performed during the ticket processing workflow. This omission allows attackers to bypass security controls that would normally prevent unauthorized privilege escalation.
The missing cryptographic step likely relates to ticket validation, signature verification, or encryption key derivation within the Kerberos protocol implementation in Windows.
Attack Vector
The attack vector is network-based, meaning an attacker must have network connectivity to the target system. The exploitation scenario involves:
- Network Access: The attacker positions themselves on the same network as the target Windows systems or domain controller
- User Interaction: Some form of user interaction is required to trigger the vulnerable code path
- Cryptographic Bypass: The attacker exploits the missing cryptographic step to manipulate Kerberos tickets
- Privilege Escalation: Forged or modified tickets grant elevated privileges to the attacker
The vulnerability affects both Windows client and server operating systems, with particular concern for domain environments where Kerberos is the primary authentication mechanism.
Detection Methods for CVE-2025-60704
Indicators of Compromise
- Anomalous Kerberos authentication events in Windows Security logs (Event IDs 4768, 4769, 4770, 4771)
- Unusual ticket-granting ticket (TGT) or service ticket (TGS) requests with malformed or unexpected attributes
- Authentication attempts from unexpected network locations or for accounts that should not be active
- Privilege escalation events (Event ID 4672) associated with suspicious authentication patterns
Detection Strategies
- Monitor Windows Security Event logs for Kerberos authentication anomalies, particularly failed authentication attempts followed by successful privilege escalation
- Implement network traffic analysis to detect malformed Kerberos protocol exchanges
- Deploy endpoint detection and response (EDR) solutions like SentinelOne to identify suspicious authentication behavior patterns
- Configure advanced auditing for Kerberos authentication events across domain controllers
Monitoring Recommendations
- Enable verbose Kerberos logging on domain controllers using Group Policy (Computer Configuration > Policies > Administrative Templates > System > Kerberos)
- Implement SIEM correlation rules to detect unusual authentication patterns across the domain
- Monitor for lateral movement indicators following suspicious Kerberos events
- Establish baseline authentication behavior for privileged accounts to detect deviations
How to Mitigate CVE-2025-60704
Immediate Actions Required
- Apply the latest Microsoft security updates from the November 2025 Patch Tuesday release to all affected Windows systems
- Prioritize patching domain controllers and systems with privileged access
- Review and audit Kerberos authentication logs for any signs of exploitation prior to patching
- Implement network segmentation to limit lateral movement potential if exploitation occurs
Patch Information
Microsoft has released security updates to address this vulnerability. Organizations should consult the Microsoft Security Response Center advisory for CVE-2025-60704 for specific patch details and deployment guidance for each affected product version.
Patches are available for all supported versions of Windows, including:
- Windows 10 versions 1607, 1809, 21H2, 22H2
- Windows 11 versions 23H2, 24H2, 25H2
- Windows Server 2008 through Windows Server 2025
Workarounds
- Enable Protected Users security group for highly privileged accounts to enforce stronger authentication protections
- Implement Credential Guard on supported Windows 10/11 systems to protect Kerberos credentials
- Configure Kerberos constrained delegation carefully and audit delegation settings across the domain
- Consider implementing network-level authentication restrictions to limit exposure while patches are deployed
# Enable advanced Kerberos auditing via Group Policy
# Run on domain controllers to enhance detection capabilities
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
