2026-06-04 –, Track 2
A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This presentation will cover our journey to bypass the mitigations and pop SYSTEM shells again.
In this session, we will start with a reminder regarding the internals of the CVE-2025-33073 vulnerability. We will then build up on this to present the generic and iterative bypass methodology that was followed during the research. The methodology will be immediately illustrated by disclosing the first vulnerability that we uncovered: a trivial local privilege escalation via NTLM reflection.
Afterwards, we will transition to Kerberos where attacks scenarios will be discussed, with both total and partial control of DNS. The attack vector will progressively be refined to finally achieve a full-blown RCE primitive as domain user, via a completely novel Kerberos authentication coercion technique. Throughout this part, in-depth and undocumented details on the inner working of several specific Windows components will be shared to provide a better understanding of the vulnerability. In a second part, we will dive into how this vulnerability was short-lived and unintentionally patched. Eventually, our methodology will once again be applied to transform it into a privilege escalation vulnerability.
The final section will cover the patches' analysis, as well as our thoughts on the current state of authentication reflection vulnerabilities.
Presentation Outline
Brief Outline
- Introduction, context and methodology
- 1st case study: LPE via NTLM reflection
- 2nd case study: RCE via Kerberos reflection
3a. RCE in the local subnet
3b. General RCE
3c. Unintentional patch analysis, bypass attempts fails and LPE - Patches analysis
- Conclusion and thoughts on the current state of authentication reflection attacks
Detailed Outline
Introduction, context and methodology
In the introduction, we will present the context of the research: briefly remind the details of CVE-2025-33073 and why the patch seemed insufficient. After that, we will present all the possible avenues for bypasses and derive a generic and methodological approach that will efficiently guide our tests.
1st case study: LPE via NTLM reflection
We will quickly put our methodology to the test by disclosing the first vulnerability that we identified: a trivial elevation of privilege via NTLM reflection. This vulnerability exploits a specific feature that was recently added to Windows 11 and Windows Server 2025.
2nd case study: RCE via Kerberos reflection
RCE in the local subnet
This section will explain how the Kerberos-related research began when one of our colleagues tried to use MitM via DHCPv6 poisoning to perform Kerberos reflection. Although it failed, it piqued our interest and motivated us to dig a bit further. We will describe why the attack did not work because of two main reasons. Afterwards, we will explain how we modified the attack to make it work, by keeping the DNS control primitive and using a surprising SPN and DNS trick to receive a Kerberos authentication and relay it back to the machine to compromise it.
General RCE
Next, we will present how the previous subnet-only primitive was improved to make it work on any machine of the network, thus achieving a full bypass of CVE-2025-33073.
Unintentional patch analysis, bypass fails and LPE
Finally, the last subsection will explain how this RCE was short-lived because of the patch of another vulnerability. We will dive into the patch and apply our methodology to try to find bypasses. We will describe how we failed to get an RCE vector again, but also how we managed to successfully transform the attack into a privilege escalation vulnerability
Patches analysis
This section will describe the official patches made by Microsoft, we will explain what they do and how they fixed the vulnerabilities.
NB: As the vulnerabilities are still in the process of being fixed, no information about the patches is currently known.
Conclusion and thoughts on the current state of authentication reflection attacks
To conclude, we will give our opinion on the current state of authentication reflection attacks and explain why authentication relay mitigations are essential to efficiently secure a Windows environment.
This conclusion will also be a doorway to potentially apply the novel techniques described during the presentation to other Windows components, not related to authentication reflection attacks.
Guillaume is a penetration tester and security researcher working at Synacktiv. During his career, he developed a healthy addiction to Windows systems and their internals. He is also passionate about Active Directory security, a topic on which he gathered solid knowledge through several Red Team engagements and internal pentests.