CVE-2025-60704

Q: What is the severity of CVE-2025-60704?

CVE-2025-60704 has a CVSS score of 7.5 (HIGH). This vulnerability in Windows Kerberos allows attackers to bypass cryptographic validation steps, enabling privilege escalation over network connections. It affects Windows systems using Kerberos authentication, potentially allowing unauthorized users to gain elevated access.

7.5 HIGH

📋 TL;DR

This vulnerability in Windows Kerberos allows attackers to bypass cryptographic validation steps, enabling privilege escalation over network connections. It affects Windows systems using Kerberos authentication, potentially allowing unauthorized users to gain elevated access.

💻 Affected Systems

Products:

Windows Kerberos implementation

Versions: Specific Windows versions as detailed in Microsoft advisory

Operating Systems: Windows Server, Windows Client

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using Kerberos authentication. Domain controllers and member servers are both potentially vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete domain compromise where attackers gain Domain Admin privileges and control the entire Active Directory environment.

🟠

Likely Case

Attackers gain elevated privileges on specific systems, potentially accessing sensitive data or moving laterally within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only affecting isolated systems.

🌐 Internet-Facing: MEDIUM - Requires network access to Kerberos services, but many organizations don't expose these directly to the internet.

🏢 Internal Only: HIGH - Attackers with internal network access can exploit this to escalate privileges within the domain.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network access and understanding of Kerberos protocol. Attackers need to be able to send crafted Kerberos messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60704

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Network Segmentation

windows

Restrict access to Kerberos ports (TCP/UDP 88) to trusted systems only

Use Windows Firewall: netsh advfirewall firewall add rule name="Block Kerberos" dir=in action=block protocol=TCP localport=88 remoteip=untrusted_ips

Monitor Kerberos Traffic

all

Implement network monitoring for unusual Kerberos authentication patterns

🧯 If You Can't Patch

Implement strict network segmentation around Kerberos services
Enable enhanced logging and monitoring for Kerberos authentication events

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for missing security patches related to CVE-2025-60704

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB patch is installed via: wmic qfe list | findstr KB

📡 Detection & Monitoring

Log Indicators:

Unusual Kerberos authentication failures
Multiple privilege escalation attempts via Kerberos
Anomalous Service Ticket requests

Network Indicators:

Unusual Kerberos traffic patterns
Multiple authentication requests from single source
Malformed Kerberos packets

SIEM Query:

EventID=4768 OR EventID=4769 with suspicious source IPs or unusual ticket requests

📊 Metadata

CVE ID: CVE-2025-60704

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-325

EPSS Score: 0.05% exploit probability (14.3th percentile)

Published: November 11, 2025

Last Updated: November 17, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60704 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Monitor Kerberos Traffic

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities