Windows Kerberos KDC Remote Code Execution CVE-2026-47288 Puts Domain Controllers at Critical Risk

Microsoft’s June 2026 Patch Tuesday includes CVE-2026-47288, a critical remote code execution vulnerability in the Windows Kerberos Key Distribution Centre (KDC) service. The KDC is the core authentication component of Active Directory — it runs on every domain controller and processes authentication requests from every domain-joined device. A successful exploit achieves SYSTEM-level code execution on the domain controller, the highest-privilege target in any Windows Active Directory environment.

Vulnerability Details

CVE-2026-47288 is a memory corruption flaw in the KDC’s handling of Kerberos AS-REQ (Authentication Service Request) messages — the initial message a client sends to obtain a Ticket Granting Ticket (TGT). The processing of this message occurs before any authentication, meaning the vulnerable code path is reachable by unauthenticated network-adjacent attackers.

Attack vector: Network-adjacent (domain network segment, or any network segment where port 88/TCP and 88/UDP are accessible to the domain controller). This typically includes the entire enterprise LAN and any network with routing access to domain controller IPs on port 88.

Authentication required: None. The AS-REQ processing occurs before the client presents credentials.

Impact: SYSTEM-level code execution on the domain controller. In Active Directory terms, this is equivalent to Domain Admin compromise — from SYSTEM on a domain controller, an attacker can extract all domain credentials (NTDS.dit), create new accounts, establish persistent backdoors in the directory, and propagate to any system in the domain.

Affected systems: All Windows Server versions acting as Active Directory domain controllers:

• Windows Server 2008 R2 (extended support)
• Windows Server 2012/2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

Standalone servers and workstations running the KDC service (uncommon outside domain controller roles) are also affected.

Enterprise Impact Assessment

Domain controllers are the crown jewel of any Active Directory environment. Compromise of a single domain controller in a domain — which CVE-2026-47288 achieves directly — typically results in:

• Complete domain compromise: all domain accounts, service accounts, and computer accounts are accessible
• Credential harvest: the NTDS.dit database contains password hashes for all domain accounts
• Persistence: attackers can create directory-level persistence (Golden Ticket attacks, AdminSDHolder modifications) that survives endpoint remediation
• Lateral movement: Kerberos tickets forged from compromised DC credentials are trusted by every system in the domain

This attack path (DC compromise → domain-wide credential harvest → persistent access) is the standard playbook for ransomware operators after establishing initial access. CVE-2026-47288 collapses the attack chain by providing direct DC compromise without requiring initial access to a domain-joined endpoint first.

Recommended Actions

Patch immediately: Domain controllers should receive the June 2026 Windows Server update at emergency priority. This is not a “next maintenance window” patch — the risk profile of direct DC exploitation warrants out-of-cycle patching where operationally feasible.

Deployment order: Patch domain controllers before member servers. The June 2026 update may require replication across the AD topology — patch the PDC Emulator FSMO role holder first, then additional DCs in the domain, following your established DC patching sequence.

Network controls (interim): If immediate patching is not possible, restrict access to port 88/TCP and 88/UDP on domain controllers to known internal subnets. Block access to these ports from any externally-routed network segments, VPN-connected partner networks, or guest Wi-Fi segments that should not have direct DC access.

Monitoring: After patching, review domain controller security event logs for unusual authentication events (Event IDs 4768/4769) from unexpected source IP addresses in the days preceding the patch — this may indicate exploitation attempts or pre-patch exploitation activity.

Kerberos Architecture Note

Unlike some authentication vulnerabilities that can be mitigated by disabling unused features, CVE-2026-47288 is in the core Kerberos AS-REQ path — the first message in every Kerberos authentication exchange. Disabling Kerberos is not a viable mitigation as it would break all domain authentication in the affected environment. Patching is the only reliable remediation.