CVE-2025-60704: Elevation of Privilege via Missing Cryptographic Step in Windows Kerberos S4U (CheckSum)

CVE-2025-60704 is an elevation of privilege vulnerability located within the Key Distribution Center (KDC) component of Windows Kerberos. The vulnerability specifically affects the Service for User to Self (S4U2self) extension, a feature also known as Protocol Transition. This extension allows a service to request a Kerberos service ticket to itself on behalf of a user, typically after the user has authenticated to the service using a non-Kerberos method.

The core of the vulnerability is classified as CWE-325 (Missing Cryptographic Step). During the S4U2self process, the KDC must validate the identity of the user being impersonated. This validation relies on cryptographic evidence provided within the PA-S4U-X509-USER pre-authentication data structure. The KDC fails to enforce the presence of a robust, keyed cryptographic checksum during this exchange.

Due to this missing validation step, an attacker can submit a crafted Kerberos Ticket-Granting Service Request (TGS-REQ) that manipulates the identity fields without providing the required cryptographic proof. The KDC processes this malformed request and issues a valid service ticket for the forged identity, creating a direct path to privilege escalation within Active Directory environments.

The root cause of CVE-2025-60704 lies in the KDC's implementation of checksum verification for the PA-S4U-X509-USER padata structure. According to the Kerberos protocol specifications, this structure must contain a keyed checksum generated using the requesting service's long-term key. This keyed checksum serves as cryptographic proof that the service legitimately possesses the authority to assert the user's identity.

The vulnerable Windows KDC implementation contains a downgrade flaw in this validation logic. The KDC permits the requesting entity to supply an unkeyed checksum, or a weakly validated checksum, in place of the mandatory keyed checksum. The KDC accepts this downgraded cryptographic evidence without verifying it against the service's long-term key, bypassing the primary security mechanism designed to prevent identity forgery.

Once the KDC accepts the downgraded checksum, the protocol transition succeeds. The KDC issues a Service Ticket containing the manipulated user identity. Subsequent validation processes on the client and service sides implicitly trust the ticket issued by the KDC. Because the ticket is cryptographically signed by the KDC, the downstream services lack the capability to detect that the identity was originally forged during the TGS-REQ phase.

Understanding the vulnerability requires examining the ASN.1 structure of the PA-S4U-X509-USER padata. The structure includes a user-id field for the identity assertion and a cksum field intended to secure the assertion. The vulnerability exists because the validation routine processing the cksum field fails to reject unkeyed cryptographic algorithms.

PA-S4U-X509-USER ::= SEQUENCE {
    user-id       [0] S4UUserID,
    checksum      [1] Checksum
}
 
Checksum ::= SEQUENCE {
    cksumtype     [0] Int32,
    checksum      [1] OCTET STRING
}

In the vulnerable implementation, the KDC processes the cksumtype provided by the client. If the client specifies an unkeyed algorithm (e.g., CRC32 or MD5 without a key), the KDC calculates the unkeyed hash over the user-id structure and compares it to the provided checksum value. The patch modifies this logic to strictly enforce keyed algorithms (e.g., HMAC-MD5, HMAC-SHA1-96-AES) and verifies the checksum using the service's key.

// VULNERABLE LOGIC: Weak checksum validation
status = verify_checksum(request->cksumtype, request->checksum, data);
if (status == SUCCESS) {
    issue_s4u2self_ticket();
}
 
// PATCHED LOGIC: Enforcing keyed checksums
if (!is_keyed_checksum_type(request->cksumtype)) {
    return KRB_ERR_GENERIC;
}
status = verify_keyed_checksum(request->cksumtype, service_key, request->checksum, data);
if (status == SUCCESS) {
    issue_s4u2self_ticket();
}

The exploitation of CVE-2025-60704 occurs in a multi-stage sequence, targeting the protocol transition and constrained delegation mechanisms. The attacker initiates the exploit by constructing a malicious TGS-REQ message. This request targets a service configured for Protocol Transition (TrustedToAuthForDelegation). The attacker populates the PA-S4U-X509-USER structure with the identity of a high-privileged user, such as a Domain Administrator, and applies an unkeyed checksum.

The attacker submits this malformed TGS-REQ to the Domain Controller. The vulnerable KDC processes the request, accepts the unkeyed checksum due to the downgrade flaw, and issues a Service Ticket to the target service. This ticket asserts the identity of the forged high-privileged user. This newly acquired ticket functions as an evidence ticket for the next phase of the attack.

In the final phase, the attacker leverages Kerberos Constrained Delegation (S4U2proxy). The attacker presents the forged evidence ticket to the KDC in a new TGS-REQ, requesting access to a backend service (e.g., CIFS, LDAP) on behalf of the impersonated administrator. The KDC validates the evidence ticket and issues a new Service Ticket for the backend service. The attacker utilizes this ticket to execute arbitrary commands or access sensitive data on the target system.

The following diagram illustrates the sequence of operations during a successful exploitation of the CheckSum vulnerability. The critical failure occurs at step 3, where the KDC accepts the downgraded checksum.

The diagram highlights the transition from obtaining the initial S4U2self evidence ticket to the subsequent S4U2proxy request, which ultimately grants access to the backend infrastructure.

The security impact of CVE-2025-60704 is severe for organizations heavily reliant on Active Directory and Kerberos delegation. A successful exploit permits an attacker to impersonate any user within the domain, bypassing standard authentication controls. When combined with Constrained Delegation, this impersonation capability translates directly to unauthorized access to critical services and data.

The CVSS v3.1 vector is evaluated at 7.5 (High), reflecting the High impact metrics for Confidentiality, Integrity, and Availability. The attack allows the execution of administrative functions on compromised services. The score is tempered by the High Attack Complexity (AC:H) and the User Interaction requirement (UI:R), as the vulnerability involves specific protocol states and relies on existing delegation configurations within the environment.

The vulnerability is highly contingent on the Active Directory configuration. Environments that extensively utilize Protocol Transition and Constrained Delegation are at the highest risk. The exploit chain effectively neutralizes the boundary between service accounts and domain administrator privileges, rendering the principle of least privilege ineffective once the initial S4U boundary is breached.

The primary remediation for CVE-2025-60704 is the application of the November 11, 2025, Cumulative Update provided by Microsoft. This update must be applied to all Domain Controllers to correct the KDC validation logic. Patching endpoint workstations and member servers is also recommended to ensure consistent protocol handling across the domain.

In addition to patching, organizations must audit their Active Directory environments for accounts configured with Protocol Transition (TrustedToAuthForDelegation). Administrators should review the msDS-AllowedToDelegateTo attribute on service accounts to ensure that Constrained Delegation is strictly limited to necessary backend services. Removing unnecessary delegation rights significantly reduces the attack surface available for the S4U2proxy phase of the exploit.

Security operations teams should implement robust monitoring for anomalous Kerberos activity. Detection strategies should focus on identifying unusual TGS-REQ events (Event ID 4769) that utilize S4U2self, particularly requests originating from unexpected network segments or involving downgraded encryption types. Behavioral analytics that baseline normal delegation patterns can help identify the anomalous service-to-service ticket requests characteristic of this attack chain.