Windows Kerberos Elevation of Privilege Vulnerability

Plan PatchCVSS 8CVE-2026-27912Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Improper authorization in Windows Kerberos allows an authorized attacker with valid domain credentials to elevate privileges over an adjacent network. The vulnerability allows bypass of authorization checks in the Kerberos implementation, potentially enabling an attacker to assume higher privilege levels without proper authentication. Patching is considered the primary mitigation; exploitation is assessed as less likely.

What this means

What could happen

An attacker with valid credentials and network access to a domain-joined Windows Server could bypass Kerberos authorization checks and escalate to higher privileges, potentially gaining full control of the server and the systems it manages.

Who's at risk

Windows Server administrators and operators running Windows Server 2016, 2019, 2022, or 2025 in domain environments. This affects any organization using Windows Servers for infrastructure services (Active Directory, DNS, DHCP, HMI systems, or data aggregation points for SCADA/ICS networks).

How it could be exploited

An attacker with credentials to a domain account on the same network segment as a Windows Server could send crafted Kerberos authentication requests that bypass authorization checks in the server's Kerberos implementation. This allows the attacker to assume a higher privilege level on that server without proper authentication.

Prerequisites

Valid domain user credentials
Network access to the Windows Server on the same network segment (adjacent network)
The Windows Server must be domain-joined and using Kerberos authentication

Requires valid credentialsNetwork access required from adjacent segmentHigh CVSS score (8/10)Affects domain authentication infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

Windows Server 2019All versionsBuild 10.0.17763.8644

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644

Windows Server 2022All versionsBuild 10.0.20348.5020

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5020

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32690

Windows Server 2022, 23H2 Edition (Server Core installation)All versionsBuild 10.0.25398.2274

Windows Server 2025All versionsBuild 10.0.26100.32690

Windows Server 2016All versionsBuild 10.0.14393.9060

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to domain-joined Windows Servers to only authorized administrative workstations and other infrastructure that requires direct connectivity

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXApply the 2026-Apr Windows security update to all affected Windows Server 2016, 2019, 2022, and 2025 installations

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate Windows Servers from untrusted or guest network segments

HARDENINGReview and enforce strong domain password policies to limit the blast radius if credentials are compromised

CVEs (1)

CVE-2026-27912

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/63ec02ec-24d0-45d5-98cd-d49845c4f95f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.