A Look in the Mirror - The Reflective Kerberos Relay Attack

It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active Directory, we accidentally revived the reflective relay attack. Since 2008 with MS08-068, it is impossible to relay back NTLM messages to the host they were initiated from. In 2025 we asked ourselves: What if we try it with Kerberos, instead?
As it turns out, this question led to the discovery of the Reflective Kerberos
Relay Attack. It not only bypasses the restrictions put in place for NTLM
reflection but it also exploits a privilege-escalation vulnerability. If you
can coerce any Windows host to authenticate back to you via SMB, you can relay
the computer account’s Kerberos ticket back to the host and obtain NT AUTHORITY\SYSTEM
privileges and thereby Remote Code Execution.
A patch for this vulnerability was released as part of Patch Tuesday on 10th June 2025.
Read more