This post was last updated February 2026.
Kerberos delegation was originally designed as a security enhancement – a way to enable applications to authenticate securely on behalf of users when accessing resources. Impersonation as part of authentication isn’t inherently bad; it’s actually an elegant answer to a long-standing problem: how to let applications access resources only when they genuinely need to, while limiting the scope of data they can reach. For example, a front-end service acting on behalf of a user to call a backend API reflects a legitimate and well-controlled use of this mechanism.
As enterprise environments evolved, this approach became a standard for how applications interact with resources. Kerberos delegation introduced a structured and secure way for services to extend user access only where necessary, maintaining authentication integrity across complex systems. But by shifting where trust resides, it also expanded the landscape itself, creating more areas for researchers to explore potential weaknesses and for adversaries to interfere, manipulate, or abuse trust in new ways.
Abuse of Kerberos delegation can therefore be dangerous if it falls into the wrong hands… like what if an attacker finds a way to insert themselves into the delegation path and impersonate the user to access sensitive resources? Or another step further, what if the threat actor figures out a way to impersonate a different, maybe more privileged, user than intended?
Eliran Partush, Security Researcher at Silverfort, examined this exact concept in his latest research and provided a complete technical analysis in his whitepaper, “CVE-2025-60704: Validation Flaws in Windows Kerberos S4U: From Protocol Transition to Privilege Escalation.”
In the whitepaper, Eliran describes CVE-2025-60704, a Windows Kerberos elevation of privilege condition that emerges from multiple validation flaws across S4U2Self and S4U2Proxy flows. The weaknesses center on how S4U identity is cryptographically bound to a request and how the client validates the integrity of KDC replies in legacy reachable modes.
Jump straight to the technical whitepaper below, or keep reading for a high-level overview of the research that was shared at Black Hat EU in London in December 2025.
Technical whitepaper
CVE-2025-60704: Validation Flaws in Windows Kerberos S4U: From Protocol Transition to Privilege Escalation
Read it now
CVE discovery
As part of responsible disclosure, our research team reported the Kerberos constrained delegation vulnerability to Microsoft, and on November 11, 2025 they issued an update as part of Patch Tuesday, where it received a CVSS score of 7.5. Using Man-in-the-Middle technique, this flaw allowed us to impersonate arbitrary users and ultimately gain control over the entire domain.
Why CVE-2025-60704 matters
Kerberos is a multi-layered protocol and can be complex to understand at first; it involves multiple message exchanges, encrypted tickets, and session keys. Delegation adds another layer to the complexity, with several models available: unconstrained, constrained, and resource-based (RBCD). This helps extend trust boundaries across services. One last layer adding to the complexity is that Kerberos delegation can also interplay with other authentication types. The main purpose of Kerberos is for an application to authenticate a user.
Delegation will always be an important consideration in cybersecurity for one main reason: the ability to impersonate a user’s identity is an attractive target for attackers. It doesn’t matter if your organization is cloud-native or if you have mission-critical apps exclusively built on legacy architectures. The concept remains the same: an application acting on behalf of a user’s identity can be powerful if abused.
As our team began researching, we looked for ways to bypass the security mechanisms of the Kerberos delegation protocol. That’s when something interesting emerged: in Kerberos Constrained Delegation (KCD), the protocol had some mechanisms that allowed us to not only impersonate a user we gained access to, but also escalate privileges and more. We would elaborate—but that’s saved for the talk.
The impact of CVE-2025-60704 if exploited
We often think of identity threats as being related to gaining access to the targeted identity (whether human or non-human like a service account) and then seeing what’s possible using that identity’s permissions. Rarely do we think in terms of gaining access, then being able to switch who we become to someone else entirely.
The impact of this is clear: any organization using Active Directory, with the Kerberos delegation capability turned on, is impacted. This means thousands of companies around the world are affected by this vulnerability. Because Kerberos delegation is a feature within Active Directory, an attacker requires initial access to an environment with compromised credentials. Once the vulnerability is exploited, the attackers could escalate privileges and move laterally to other machines in an organization. Worse, they could also gain the ability to impersonate anyone in the company, unlocking untold access or even becoming a domain admin.
Exploiting CVE-2025-60704 would be part of their long game, stealing IP or personal data, impersonation, ransomware, and more.
Mitigating CVE-2025-60704
Kerberos has been trusted for decades as the backbone of enterprise authentication. However, even the most well-architected security protocols can be quietly undermined and exploited. So, what should security teams do?
For any company using Active Directory, we recommend they patch this vulnerability as soon as possible. If patching isn’t an option for the time being, set up an alert in your ITDR solution to monitor all Kerberos Constrained Delegation.
Eliran Partush’s talk at Black Hat EU in London
If you attended Black Hat in London, we went through it all:
- Where the research started, and how our research team stumbled upon the CVE.
- How a mechanism designed to make your infrastructure more secure expands your attack surface.
- Protocol behavior, trust assumptions, and some light reverse engineering of Windows internals that helped us trace the flaw down to its root.
- Mitigation strategies and how to better protect environments relying on Kerberos delegation.
An on-demand video of the talk will be coming soon, and we’ll link it in this post. Until the talk is available, visit our whitepaper to read the technical details.
Interested in staying in touch and keeping up with our research? Connect with the researcher on LinkedIn to follow for more.
About Eliran Partush, Silverfort Security Researcher
Eliran is a security researcher and IT specialist on the Silverfort Research Team with a specific interest in network and authentication protocols, especially Kerberos. He loves challenges like CTFs and diving into deep protocol study. He has an extensive background as a network and system engineer at Cisco for 10+ years and has always enjoyed taking systems apart and putting them back together again.