Windows Kerberos Key Distribution Center (KDC) Remote Code Execution

Plan PatchCVSS 7.1CVE-2026-47288Jun 9, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

An integer overflow vulnerability in Windows Kerberos Key Distribution Center (KDC) allows an authorized attacker with valid domain credentials on an adjacent network to execute code on a domain controller. The flaw is in how the KDC processes certain Kerberos requests. All versions of Windows Server 2016, 2019, 2022, and 2025 are affected. Successful exploitation would allow an attacker to run arbitrary commands with system-level privileges on the compromised domain controller.

What this means

What could happen

An attacker with valid credentials on your network could exploit an integer overflow in the Windows Kerberos system to run unauthorized code on a domain controller, potentially compromising authentication for all connected systems and devices.

Who's at risk

Organizations running Windows Server 2016, 2019, 2022, or 2025 as domain controllers should prioritize patching. This affects any facility that relies on Active Directory for system authentication and authorization, including industrial control networks, utility SCADA systems, and any other critical infrastructure using Windows-based authentication.

How it could be exploited

An attacker with valid domain credentials could send a specially crafted Kerberos request to the Key Distribution Center (KDC) running on a Windows Server domain controller. The integer overflow flaw in the KDC's request processing would allow the attacker to execute arbitrary code with system privileges on the domain controller itself.

Prerequisites

Valid domain credentials (user account)
Network access to Kerberos service port 88 (TCP/UDP) on the domain controller
Both attacker and target on the same network segment (adjacent network)

Remotely exploitableAuthentication required (valid credentials)High complexity exploitationAffects domain controller security infrastructureNo active exploitation reported

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Windows Server 2019All versionsBuild 10.0.17763.8880

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8880

Windows Server 2022All versionsBuild 10.0.20348.5256

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5256

Windows Server 2025 (Server Core installation)All versionsBuild 10.0.26100.32995

Windows Server 2025All versionsBuild 10.0.26100.32995

Windows Server 2016All versionsBuild 10.0.14393.9234

Windows Server 2016 (Server Core installation)All versionsBuild 10.0.14393.9234

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to port 88 (Kerberos) on domain controllers to authorized administrative and domain-joined systems only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXUpdate Windows Server 2016 to Build 10.0.14393.9234 or later

Windows Server 2019

HOTFIXUpdate Windows Server 2019 to Build 10.0.17763.8880 or later

Windows Server 2022

HOTFIXUpdate Windows Server 2022 to Build 10.0.20348.5256 or later

Windows Server 2025

HOTFIXUpdate Windows Server 2025 to Build 10.0.26100.32995 or later

Long-term hardening

0/1

HARDENINGMonitor domain controller logs for failed Kerberos authentication attempts and suspicious KDC activity

CVEs (1)

CVE-2026-47288

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/491520e8-57f1-422c-adac-964632b392f8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.