Kerberos delegation abuse in Active Directory: what teams need to know

TL;DR: A Windows Kerberos constrained delegation flaw in CVE-2025-60704 let attackers impersonate arbitrary users and escalate privileges through S4U validation failures, according to Silverfort. The deeper lesson is that trust paths built for controlled impersonation can become privilege-swapping channels when validation breaks and monitoring lags.

NHIMG editorial — based on content published by Silverfort covering CVE-2025-60704: validation flaws in Windows Kerberos S4U from protocol transition to privilege escalation

By the numbers:

• As part of responsible disclosure, our research team reported the Kerberos constrained delegation vulnerability to Microsoft, and on November 11, 2025 they issued an update as part of Patch Tuesday, where it received a CVSS score of 7.5.

Questions worth separating out

Q: What breaks when Kerberos delegation validation is weakened?

A: When Kerberos delegation validation is weakened, attackers can manipulate the identity carried through the delegation path and cause a system to accept a different user than intended.

Q: Why does Kerberos delegation create such a large risk in Active Directory?

A: Kerberos delegation matters because Active Directory uses it as a core trust mechanism for applications acting on behalf of users.

Q: How do security teams know whether delegation paths are too risky?

A: Delegation paths are too risky when they are broadly enabled, poorly monitored, and reachable through legacy validation behaviour.

Practitioner guidance

• Patch Kerberos delegation paths first Apply Microsoft fixes to all Active Directory environments using Kerberos delegation and prioritise systems where S4U flows are exposed to business-critical applications.
• Alert on constrained delegation usage Set up ITDR detection for all Kerberos constrained delegation activity, especially where impersonation events or unusual ticket exchange patterns appear.
• Inventory legacy-reachable delegation modes Catalogue where legacy-reachable Kerberos reply validation still exists and remove or isolate those pathways before attackers can manipulate identity binding.

What's in the full article

Silverfort's full analysis covers the protocol mechanics this post intentionally leaves at a high level:

• Step-by-step reverse engineering of the S4U2Self and S4U2Proxy validation failures behind CVE-2025-60704
• Detailed discussion of the Windows internals that shaped the exploit path and the trust assumptions it broke
• Presentation material from the Black Hat EU talk, including the research journey and mitigation discussion
• Responsible-disclosure context and the patching timeline that followed Microsoft’s November 2025 update

👉 Read Silverfort's analysis of CVE-2025-60704 and Kerberos delegation abuse →

Kerberos delegation abuse in Active Directory: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →