Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

CheckSum Kerberos Constrained Delegation Privilege Escalation

IdentifiersCVE-2025-60704CWE-345

CVE-2025-60704, referred to in the provided content as CheckSum, is a privilege-escalation vulnerability in Windows Kerberos affecting protocol transition and constrained delegation flows. The issue is described as a missing cryptographic step in Kerberos request processing: a vulnerable Key Distribution Center (KDC) accepts a malformed TGS-REQ containing an unkeyed checksum in the PA-S4U-X509-USER data due to a downgrade flaw. An attacker can craft a TGS-REQ targeting a service account configured for protocol transition with TrustedToAuthForDelegation enabled, populate the request with the identity of a privileged user such as a Domain Administrator, and have the KDC issue a service ticket asserting that forged identity. That forged service ticket can then be used as an evidence ticket in a subsequent S4U2proxy request to obtain a delegated service ticket to backend services such as CIFS or LDAP on behalf of the impersonated user.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthorized network attacker to elevate privileges in an Active Directory environment by impersonating a high-privileged user through Kerberos delegation. Based on the provided content, this can enable issuance of backend service tickets for services such as CIFS or LDAP as the forged administrator identity, leading to administrative access, arbitrary command execution on target systems, and access to sensitive data. The content specifically states this can result in domain-admin-level compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by reviewing and minimizing use of Kerberos protocol transition and constrained delegation, especially accounts configured with TrustedToAuthForDelegation. Limit which services are allowed to perform delegation, remove unnecessary constrained delegation paths, and closely monitor KDC logs and Kerberos TGS-REQ/S4U activity for anomalous protocol-transition requests, forged privileged identities, and unusual S4U2proxy requests to backend services such as CIFS and LDAP. The provided content does not include official vendor mitigations beyond patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's patch for CVE-2025-60704 on affected Windows domain controllers/KDCs. The provided content indicates the flaw was patched and stems from improper acceptance of an unkeyed checksum during Kerberos delegation processing; remediation therefore requires updating vulnerable KDCs so malformed downgrade requests are rejected and the required cryptographic validation is enforced.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2008 R2operating_system
Microsoft CorporationWindows Server 2008 Sp2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
risky biz rssNews
Feb 18, 2026
Supply chain attack plants backdoor on Android tablets

A Kerberos delegation attack technique/vulnerability (named CheckSum) that can leave sensitive Active Directory computer accounts (Tier 0 / machine identities) delegable by default, creating a delegation hardening blind spot.

Read more
risky biz rssNews
Nov 14, 2025
Risky Bulletin: Europol takes down Elysium, VenomRAT, and Rhadamanthys infrastructure

A vulnerability in the Kerberos constrained delegation mechanism, named CheckSum, allows attackers to hijack temporary delegations and gain domain admin rights. Patched as CVE-2025-60704.

Read more
cvereportsNews
Nov 11, 2025
CVE-2025-60704: CVE-2025-60704: Elevation of Privilege via Missing Cryptographic Step in Windows Kerberos S4U (CheckSum) | CVEReports

A Kerberos KDC downgrade flaw affecting protocol transition and constrained delegation that allows an attacker to forge service tickets for a high-privileged user and obtain delegated access to backend services.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-60704
NVD
nvd.nist.gov/vuln/detail/CVE-2025-60704
MITRE CWE · CWE-345
cwe.mitre.org
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60704