Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network.
AnalysisAI
Windows Kerberos authorization bypass enables authenticated attackers on adjacent networks to escalate privileges to high integrity levels across Windows Server 2012 through 2025. The flaw affects both desktop experience and Server Core installations. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of user interaction (UI:N) suggest straightforward exploitation once adjacent network access is achieved.
Technical ContextAI
This vulnerability exploits improper authorization enforcement (CWE-285) within the Windows Kerberos implementation, the default authentication protocol for Active Directory environments. Kerberos relies on ticket-granting services and authorization data embedded in service tickets to enforce access controls. The authorization flaw allows an attacker with low-privilege credentials to manipulate or bypass authorization checks during the Kerberos authentication process, potentially forging privileged access tokens or obtaining unauthorized service tickets. The adjacent network attack vector (AV:A) indicates the attacker must be on the same network segment as the target, typical in domain environments where Kerberos traffic occurs. All Windows Server versions from 2012 through 2025 are affected, including Server Core installations which are commonly deployed in enterprise infrastructure for reduced attack surface. The scope remains unchanged (S:U), meaning the vulnerability does not allow breaking out of the immediate security context, but achieves complete compromise within that context (C:H/I:H/A:H).
RemediationAI
Apply vendor-released security updates immediately, prioritizing domain controllers and authentication infrastructure. Patched versions include Windows Server 2012 6.2.9200.26026 or later, Windows Server 2012 R2 6.3.9600.23132 or later, Windows Server 2016 10.0.14393.9060 or later, Windows Server 2019 10.0.17763.8644 or later, Windows Server 2022 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition 10.0.25398.2274 or later, and Windows Server 2025 10.0.26100.32690 or later. Download patches through Microsoft Update Catalog or WSUS. Given the Kerberos authentication impact, test patches in non-production domain controllers before enterprise-wide deployment to avoid authentication disruptions. Implement network segmentation to limit adjacent network access to authentication servers, enforce least-privilege access controls to reduce the pool of potential authenticated attackers, and monitor Kerberos traffic for anomalous ticket requests or authorization patterns. Complete remediation guidance is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27912.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22453