Micropatches released for Windows Kerberos Elevation of Privilege Vulnerability (CVE-2025-60704)

Mitja KolsekJul 14, 2026
Micropatches released for Windows Kerberos Elevation of Privilege Vulnerability (CVE-2025-60704)

November 2025 Windows Updates brought a patch for CVE-2025-60704, a privilege escalation vulnerability in Kerberos, allowing the attacker residing in local network to impersonate any domain user.

The vulnerability was found and reported to Microsoft by Eliran Partush and Dor Segal with Silverfort. Eliran also published a detailed analysis of the issue, which, with a bit of our own effort, allowed us to reproduce the issue and create patches for legacy Windows users.

The Vulnerability 

This vulnerability allows a downgrade of a S4U2Self request to (unsafe) RC4 and consequently forging of any domain user's identity. For more details see Eliran's article.

Microsoft's Patch

Microsoft fixed this issue by correctly validating the Kerberos request.

Our Patch

Our patch is logically identical to Microsoft's.

Let's see our patch in action. To demonstrate the vulnerability, we built a simple web application that tries to open two files on a network share: public.txt can be read by any domain user, while secret.txt can only be read by System and Administrators. The web application uses the identity of the requesting user to open these files.

First, with 0patch disabled, the attacker authenticates to the web application as a low-privileged domain user, but does so through a proxy that exploits the vulnerability and effectively makes the request look as if it came from the administrator. Consequently, the web application successfully opens both files - including the secret.txt file.

With 0patch enabled, this attack doesn't work anymore: the web application can still open public.txt, but is no longer confused about the user's identity and correctly fails to open secret.txt.

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

  1. Windows 11 v22H2 - fully updated

  2. Windows 11 v21H2 - fully updated

  3. Windows 10 v22H2 - fully updated

  4. Windows 10 v21H2 - fully updated

  5. Windows 10 v21H1 - fully updated

  6. Windows 10 v20H2 - fully updated

  7. Windows 10 v2004 - fully updated

  8. Windows 10 v1909 - fully updated

  9. Windows 10 v1809 - fully updated

  10. Windows 10 v1803 - fully updated

  11. Windows 7 - fully updated with no ESU, with ESU 1, ESU 2 or ESU 3

  12. Windows Server 2008 R2 - fully updated with no ESU, with ESU 1, ESU 2, ESU 3 or ESU 4

  13. Windows Server 2012 - fully updated with no ESU, with ESU 1 or ESU 2

  14. Windows Server 2012 R2 - fully updated with no ESU, with ESU 1 or ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Eliran Partush and Dor Segal with Silverfort for sharing their analysis, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here

To learn more about 0patch, please visit our Help Center.