BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//orangecon-2026//talk//ZKVM3A BEGIN:VEVENT UID:pretalx-orangecon-2026-ZKVM3A@pretalx.com DTSTART:20260604T100500Z DTEND:20260604T103500Z DESCRIPTION:A year ago\, authentication reflection vulnerabilities resurfac ed as a powerful attack vector through the discovery of CVE-2025-33073. Th is logical vulnerability allowed taking over almost any Windows machine wi thout any user interaction. Following the official patch by Microsoft\, we had a gut feeling that the root cause of the issue was still not addresse d. This presentation will cover our journey to bypass the mitigations and pop SYSTEM shells again.\n\nIn this session\, we will start with a reminde r regarding the internals of the CVE-2025-33073 vulnerability. We will the n build up on this to present the generic and iterative bypass methodology that was followed during the research. The methodology will be immediatel y illustrated by disclosing the first vulnerability that we uncovered: a t rivial local privilege escalation via NTLM reflection.\n\nAfterwards\, we will transition to Kerberos where attacks scenarios will be discussed\, wi th both total and partial control of DNS. The attack vector will progressi vely be refined to finally achieve a full-blown RCE primitive as domain us er\, via a completely novel Kerberos authentication coercion technique. Th roughout this part\, in-depth and undocumented details on the inner workin g of several specific Windows components will be shared to provide a bette r understanding of the vulnerability. In a second part\, we will dive into how this vulnerability was short-lived and unintentionally patched. Event ually\, our methodology will once again be applied to transform it into a privilege escalation vulnerability.\n\nThe final section will cover the pa tches' analysis\, as well as our thoughts on the current state of authenti cation reflection vulnerabilities. DTSTAMP:20260525T201456Z LOCATION:Track 2 SUMMARY:The Gift That Keeps On Giving: Bypassing Authentication Reflection Mitigations For SYSTEM Shells - Guillaume André URL:https://pretalx.com/orangecon-2026/talk/ZKVM3A/ END:VEVENT END:VCALENDAR