What is CVE-2026-20929?

CVSS 7.5 bug letting Kerberos relay via DNS CNAME to AD CS for certificate theft. Patched Jan 2026.

How to detect Kerberos relay to AD CS?

Correlate cert auth events with AD CS access in short windows—CrowdStrike style. Watch SPN anomalies.

Does CVE-2026-20929 affect Kerberos-only environments?

Yes—bypasses NTLM blocks, targets web enrollment even on HTTPS if misconfig'd, but HTTP's worst.

CVE-2026-20929: Hackers Hijack Your Certs with DNS CNAME Tricks

Imagine a hacker quietly stealing certificates for your top execs, good for years of backdoor access. CVE-2026-20929 makes it dead simple via DNS tricks—your AD setup's nightmare.

Threat Digest Apr 03, 2026 4 min read 13 views

Diagram of Kerberos authentication relay attack using DNS CNAME records to AD CS

⚡ Key Takeaways

CVE-2026-20929 enables Kerberos relay to AD CS via CNAME DNS abuse, stealing long-lived certificates. 𝕏
Patch immediately from Jan 2026 Tuesday; detect via cert auth + AD CS correlations. 𝕏
Ditch HTTP web enrollment—it's a relic inviting persistent hacks. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#AD CS attacks #AD CS exploitation #Active Directory security #CVE-2026-20929 #DNS CNAME abuse #Kerberos relay

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by CrowdStrike Blog

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

ShareFile's Double Flaw: Unauthenticated RCE via Config Hijack and Web Shell Drop

North Korean Hackers Hijack Drift's Governance, Wipe Out $280 Million in User Funds

Doctor No's Demise: Block Prompts, Not Productivity

Meta Safety Boss Races to Stop OpenClaw from Wiping Her Inbox

Stay in the loop