Security intelligence covering Identity & Access Management: Authentication, authorization, access control models, identity federation, and MFA.https://cipherwatch.io/en-gbhttps://cipherwatch.io/articles/2026-06-16-m365-copilot-searchleak-cve-2026-42824-data-exfiltration/https://cipherwatch.io/articles/2026-06-16-m365-copilot-searchleak-cve-2026-42824-data-exfiltration/Varonis Threat Labs chained three vulnerabilities in Microsoft 365 Copilot into a single attack that exfiltrates emails, corporate files, and MFA authentication codes from a victim's account with a single click on a malicious link. Microsoft patched all three flaws server-side; no client update is required, but the disclosure illuminates the structural risks of embedding AI systems with broad data access into enterprise environments.Tue, 16 Jun 2026 00:00:00 GMTmicrosoft-365copilotai-securityprompt-injectioncve-2026-42824data-exfiltrationhttps://cipherwatch.io/articles/2026-06-15-simplehelp-oidc-rogue-technician-account-creation/https://cipherwatch.io/articles/2026-06-15-simplehelp-oidc-rogue-technician-account-creation/A new authentication vulnerability in SimpleHelp Remote Support — distinct from the path traversal and privilege escalation flaws patched earlier in 2026 — allows an unauthenticated attacker to exploit a flaw in the OIDC single sign-on implementation to create privileged technician accounts with full remote session capabilities. SimpleHelp has released emergency patches; exploitation has been observed in the wild.Mon, 15 Jun 2026 00:00:00 GMTsimplehelprmmremote-supportoidcaccount-takeoverauthentication-bypassactively-exploitedhttps://cipherwatch.io/articles/2026-06-13-windows-dhcp-rogue-server-nac-controls/https://cipherwatch.io/articles/2026-06-13-windows-dhcp-rogue-server-nac-controls/CVE-2026-44815 in the Windows DHCP Client enables SYSTEM-level RCE via a rogue DHCP server on the same broadcast domain. DHCP Snooping (DHCP Guard) on enterprise switches is the primary compensating control while patching proceeds, but its effectiveness depends on consistent enforcement across all access-layer switches and correct handling of edge cases like DHCP relay configurations.Sat, 13 Jun 2026 00:00:00 GMTdhcpcve-2026-44815rogue-servernacnetwork-access-controldhcp-snoopingswitching802-1xenterprise-network2026https://cipherwatch.io/articles/2026-06-12-windows-kerberos-enterprise-hardening-active-directory/https://cipherwatch.io/articles/2026-06-12-windows-kerberos-enterprise-hardening-active-directory/CVE-2026-47288 in the Windows Kerberos KDC is the most critical Active Directory vulnerability of 2026. Beyond patching, the Kerberos attack surface encompasses golden ticket attacks, AS-REP roasting, Kerberoasting, and credential relay. This article provides post-patch hardening guidance for enterprise AD environments.Fri, 12 Jun 2026 00:00:00 GMTkerberosactive-directorycve-2026-47288golden-ticketkerberoastingdomain-controlleridentity-securityenterprise-hardening2026https://cipherwatch.io/articles/2026-06-09-windows-kerberos-kdc-rce-cve-2026-47288-domain-controllers/https://cipherwatch.io/articles/2026-06-09-windows-kerberos-kdc-rce-cve-2026-47288-domain-controllers/CVE-2026-47288 is a critical remote code execution vulnerability in the Windows Kerberos Key Distribution Centre that allows network-adjacent unauthenticated attackers to execute arbitrary code on Active Directory domain controllers. All supported Windows Server versions are affected. Domain controllers should be treated as the highest-priority patch target in the June 2026 update cycle.Tue, 09 Jun 2026 00:00:00 GMTwindows-serverkerberoskdcactive-directorycve-2026-47288rcedomain-controllerpatch-tuesday2026https://cipherwatch.io/articles/2026-06-06-enterprise-ai-tool-access-governance-conditional-access/https://cipherwatch.io/articles/2026-06-06-enterprise-ai-tool-access-governance-conditional-access/The rollout of ChatGPT Lockdown Mode highlights the broader challenge of governing AI tool access in enterprise environments: organisations must balance productivity benefits against data loss risk, prompt-injection exposure, and the proliferation of unofficial AI tools used without IT oversight. This guide covers the IAM and DLP controls that define an enterprise AI governance posture.Sat, 06 Jun 2026 00:00:00 GMTai-governancechatgptshadow-aidlpconditional-accessenterprise-securitydata-loss-preventionllm-securityhttps://cipherwatch.io/articles/2026-06-05-dbir-2026-credential-theft-mfa-bypass-identity/https://cipherwatch.io/articles/2026-06-05-dbir-2026-credential-theft-mfa-bypass-identity/The identity and credential findings from Verizon's 2026 DBIR show that stolen credentials remain the most common enabler of breaches across all sectors, used in 44% of analysed incidents. More troubling: the DBIR documents a significant increase in MFA bypass techniques — adversary-in-the-middle phishing toolkits, SIM swapping, and push notification fatigue attacks that defeat MFA as commonly deployed.Fri, 05 Jun 2026 00:00:00 GMTverizon-dbircredential-theftmfaidentity-securityphishing-resistant-mfapasskeysadversary-in-the-middle2026https://cipherwatch.io/articles/2026-06-04-healthcare-ransomware-iam-controls-gentelman/https://cipherwatch.io/articles/2026-06-04-healthcare-ransomware-iam-controls-gentelman/The Gentelman ransomware group gains initial access through RMM vulnerabilities, but its ability to encrypt an entire healthcare network depends on how identity and access management is configured. Strong IAM controls — privileged access segmentation, MFA enforcement on administrative accounts, and service account restrictions — significantly limit what a ransomware operator can encrypt once inside the perimeter.Thu, 04 Jun 2026 00:00:00 GMTransomwarehealthcaregentelmaniamprivileged-accessmfaservice-accountsidentity-securityblast-radiushttps://cipherwatch.io/articles/2026-05-31-active-directory-tier-model-implementation-guide/https://cipherwatch.io/articles/2026-05-31-active-directory-tier-model-implementation-guide/Microsoft's Active Directory Tier Model separates administrative access by privilege level to prevent credential theft from cascading into full domain compromise. CVE-2026-41089's impact in poorly segmented environments makes the Tier Model the single highest-leverage post-incident investment. This guide covers the implementation sequence for organisations starting from scratch.Sun, 31 May 2026 00:00:00 GMTactive-directorytier-modelprivileged-accessidentity-securityhardeningdomain-controllerenterprise-architecturehttps://cipherwatch.io/articles/2026-05-30-netlogon-post-exploitation-identity-containment/https://cipherwatch.io/articles/2026-05-30-netlogon-post-exploitation-identity-containment/If forensic investigation reveals CVE-2026-41089 exploitation occurred before patching, the identity response is as critical as the technical remediation. All credential material accessible from the domain controller must be treated as compromised. This guide covers the identity containment sequence for a confirmed Active Directory domain controller breach.Sat, 30 May 2026 00:00:00 GMTactive-directoryidentity-managementincident-responsedomain-controllergolden-ticketcredential-rotationad-recoveryhttps://cipherwatch.io/articles/2026-05-29-domain-controller-hardening-netlogon-identity-access/https://cipherwatch.io/articles/2026-05-29-domain-controller-hardening-netlogon-identity-access/Patching CVE-2026-41089 closes the specific vulnerability, but domain controllers remain highly targeted infrastructure. This guide covers the access control, network segmentation, and monitoring controls that reduce DC attack surface against the class of unauthenticated RCE threats that Netlogon represents.Fri, 29 May 2026 00:00:00 GMTdomain-controlleractive-directoryhardeningidentity-securitynetwork-segmentationwindows-servertier-modelaccess-controlhttps://cipherwatch.io/articles/2026-05-24-sasl-authentication-enterprise-mail-server-security/https://cipherwatch.io/articles/2026-05-24-sasl-authentication-enterprise-mail-server-security/The GNU SASL CVE-2026-48829 DIGEST-MD5 crash is a reminder that legacy authentication mechanisms in enterprise mail infrastructure carry risk that is often invisible to security teams. A structured review of SASL mechanism configuration in Postfix, Dovecot, and Exchange environments can eliminate entire vulnerability classes while improving authentication security.Sun, 24 May 2026 00:00:00 GMTsaslauthenticationsmtppostfixmail-serverdigest-md5scram-sha-256security-hardeninglegacy-authhttps://cipherwatch.io/articles/2026-05-21-vpn-compromise-identity-access-containment-response/https://cipherwatch.io/articles/2026-05-21-vpn-compromise-identity-access-containment-response/When a VPN authentication bypass like CVE-2026-0257 is exploited, the attacker enters the network without leaving identity provider audit trails. Standard identity-based detection misses the initial access. This creates a specific response challenge: containing a network breach where the entry event did not generate authentication telemetry and the scope of subsequent access is unknown.Thu, 21 May 2026 00:00:00 GMTvpnidentityincident-responseglobalprotectcve-2026-0257active-directorycredential-responsepalo-altohttps://cipherwatch.io/articles/2026-05-18-identity-layer-limits-pwn2own-week-lessons/https://cipherwatch.io/articles/2026-05-18-identity-layer-limits-pwn2own-week-lessons/The week of 12–18 May 2026 produced two distinct scenarios where identity controls — Conditional Access, MFA, and Zero Trust enforcement — provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.Mon, 18 May 2026 00:00:00 GMTidentityconditional-accessmfazero-trustexchangesession-hijackingauthenticationentra-idhttps://cipherwatch.io/articles/2026-05-17-exchange-system-rce-conditional-access-bypass/https://cipherwatch.io/articles/2026-05-17-exchange-system-rce-conditional-access-bypass/The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.Sun, 17 May 2026 00:00:00 GMTexchangeidentityconditional-accessmfaauthenticationserver-side-rcepwn2ownzero-trusthttps://cipherwatch.io/articles/2026-05-15-microsoft-edge-plaintext-passwords-fix-reversal/https://cipherwatch.io/articles/2026-05-15-microsoft-edge-plaintext-passwords-fix-reversal/Following disclosure on 11 May that Microsoft Edge loads saved passwords as plaintext into process memory at startup, Microsoft confirmed it will release a patch preventing password data from being loaded into memory outside of active use contexts. The fix addresses the specific vulnerability class that allows process memory dumpers to extract Edge-saved credentials without user interaction.Fri, 15 May 2026 00:00:00 GMTmicrosoft-edgepasswordscredential-securitybrowser-securityplaintexthttps://cipherwatch.io/articles/2026-05-12-fortinet-fortiauthenticator-fortibox-critical-patches/https://cipherwatch.io/articles/2026-05-12-fortinet-fortiauthenticator-fortibox-critical-patches/Fortinet released patches for critical vulnerabilities in FortiAuthenticator and FortiSandbox as part of the May 2026 patch cycle. FortiAuthenticator flaws can enable authentication bypass and session manipulation in enterprise SSO deployments, while FortiSandbox issues affect the analysis platform. Apply patches immediately given Fortinet's established exploitation history.Tue, 12 May 2026 00:00:00 GMTfortinetfortiauthenticatorpatch-tuesdayssoauthenticationhttps://cipherwatch.io/articles/2026-05-11-venom-phishing-kit-m365-senior-executive-aitm/https://cipherwatch.io/articles/2026-05-11-venom-phishing-kit-m365-senior-executive-aitm/A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts — CFOs, CEOs, legal counsel, and board-level contacts — and includes executive-tailored lures designed for low suspicion.Mon, 11 May 2026 00:00:00 GMTphishingaitmmicrosoft-365executivessession-hijackingmfa-bypassphishing-as-a-servicehttps://cipherwatch.io/articles/2026-05-09-openai-advanced-account-security-fido2-passkey/https://cipherwatch.io/articles/2026-05-09-openai-advanced-account-security-fido2-passkey/OpenAI has announced an opt-in Advanced Account Security programme for high-risk users — journalists, human rights advocates, executives, and researchers — offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.Sat, 09 May 2026 00:00:00 GMTopenaifido2passkeysmfaphishing-resistantaccount-securityadvanced-protectionyubicohttps://cipherwatch.io/articles/2026-05-07-ivanti-epmm-cve-2026-6973-rce-cisa-kev/https://cipherwatch.io/articles/2026-05-07-ivanti-epmm-cve-2026-6973-rce-cisa-kev/Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.Thu, 07 May 2026 00:00:00 GMTivantiepmmmobileironcvercecisa-kevmdmmobile-device-managementgovernmentpatch-urgentlyhttps://cipherwatch.io/articles/2026-05-06-godaddy-managewp-aitm-phishing-google-ads/https://cipherwatch.io/articles/2026-05-06-godaddy-managewp-aitm-phishing-google-ads/A real-time adversary-in-the-middle phishing campaign is targeting GoDaddy ManageWP administrators through malicious Google search advertisements that appear above legitimate results for ManageWP login queries. The campaign steals session tokens via a real-time proxy, bypassing MFA, and uses Telegram for credential exfiltration. Each compromised ManageWP account typically controls hundreds of WordPress sites, making this a high-leverage credential theft campaign.Wed, 06 May 2026 00:00:00 GMTphishingaitmmanagewpgodaddywordpressgoogle-adsmalvertisingmfa-bypasssession-hijackinghttps://cipherwatch.io/articles/2026-05-03-cordial-snarky-spider-aitm-vishing-sso/https://cipherwatch.io/articles/2026-05-03-cordial-snarky-spider-aitm-vishing-sso/Two newly-designated threat actor clusters — Cordial Spider (UNC6671) and Snarky Spider (UNC6661) — are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.Sun, 03 May 2026 00:00:00 GMTvishingaitmssomfa-bypassoauthcloud-identitythreat-intelligencehttps://cipherwatch.io/articles/2026-05-02-consentfix-v3-azure-oauth-phishing-automation/https://cipherwatch.io/articles/2026-05-02-consentfix-v3-azure-oauth-phishing-automation/The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.Sat, 02 May 2026 00:00:00 GMToauthazure-adphishingmfa-bypassidentity-attackmicrosoft-365conditional-accesshttps://cipherwatch.io/articles/2026-04-30-scattered-spider-tylerb-guilty-plea-sim-swap/https://cipherwatch.io/articles/2026-04-30-scattered-spider-tylerb-guilty-plea-sim-swap/Tyler Robert Buchanan, 24, known online as 'Tylerb', has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in Scattered Spider's 2022 SMS phishing and SIM-swapping campaign that breached Twilio, LastPass, DoorDash, Cloudflare, and at least 130 other organisations. The guilty plea represents a significant law enforcement milestone against the English-language cybercrime group responsible for the MGM and Caesars casino breaches.Thu, 30 Apr 2026 00:00:00 GMTscattered-spidersim-swappingsocial-engineeringphishinglaw-enforcementmfa-bypasscybercrime-prosecutionhttps://cipherwatch.io/articles/2026-04-27-azure-arc-agent-cve-2026-26117-cloud-identity-lpe/https://cipherwatch.io/articles/2026-04-27-azure-arc-agent-cve-2026-26117-cloud-identity-lpe/CVE-2026-26117, a local privilege escalation flaw in the Azure Arc Connected Machine Agent for Windows, allows any domain user on a managed host to escalate to SYSTEM and inherit the host's Azure managed identity — granting access to all Azure resources the machine identity can reach. Microsoft rated the flaw CVSS 7.8; patch immediately given Arc's growing enterprise footprint.Mon, 27 Apr 2026 00:00:00 GMTazure-arcmanaged-identityprivilege-escalationcve-2026-26117cloud-securitywindowshttps://cipherwatch.io/articles/2026-04-27-microsoft-entra-agent-id-tenant-takeover/https://cipherwatch.io/articles/2026-04-27-microsoft-entra-agent-id-tenant-takeover/A flaw in Microsoft Entra's Agent ID role assignment model allowed an attacker with low-level Entra access to hijack privileged service principals and achieve full tenant administrator rights. Microsoft silently patched the issue on April 9; organisations with agentic AI workloads or automation service accounts should audit role bindings immediately.Mon, 27 Apr 2026 00:00:00 GMTentra-idservice-principalprivilege-escalationtenant-takeoverazureagentic-aihttps://cipherwatch.io/articles/2026-04-25-microsoft-entra-passkeys-windows-phishing-resistant-mfa/https://cipherwatch.io/articles/2026-04-25-microsoft-entra-passkeys-windows-phishing-resistant-mfa/Microsoft has begun rolling out Entra passkey support to managed, unmanaged, and shared Windows devices, with general availability set for mid-June 2026. Passkeys close the credential-phishing gap that conventional passwords, SMS codes, and TOTP leave open, and enterprise deployment is now achievable at scale through existing Conditional Access policies.Sat, 25 Apr 2026 00:00:00 GMTpasskeysentra-idmicrosoftphishing-resistantmfazero-trusthttps://cipherwatch.io/articles/2026-04-24-microsoft-entra-id-ssrf-cve-2026-35431-cvss-10/https://cipherwatch.io/articles/2026-04-24-microsoft-entra-id-ssrf-cve-2026-35431-cvss-10/A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management allowed unauthenticated network-accessible exploitation of Microsoft's cloud identity governance platform. Microsoft patched it server-side with no customer action required, but the disclosure surfaces a structural question enterprise security teams need to answer: how do you monitor for exploitation of a vulnerability in infrastructure you don't control?Fri, 24 Apr 2026 00:00:00 GMTentra-idssrfcloud-securityiamazurezero-trustmicrosofthttps://cipherwatch.io/articles/2026-04-23-beigeburrow-ad-exploitation-cve-2026-33826-covert-c2/https://cipherwatch.io/articles/2026-04-23-beigeburrow-ad-exploitation-cve-2026-33826-covert-c2/A previously undocumented post-exploitation tool named BeigeBurrow has been observed in at least two enterprise intrusions following exploitation of the Windows Active Directory RCE CVE-2026-33826. The Go-based agent uses HashiCorp's Yamux library to multiplex covert relay channels over port 443, blending into encrypted enterprise traffic. CVE-2026-33826 was patched in April Patch Tuesday; organisations that have not yet applied the patch should treat it as urgent.Thu, 23 Apr 2026 00:00:00 GMTactive-directoryc2-frameworkcve-2026-33826beigeburrowpost-exploitationdetectionhttps://cipherwatch.io/articles/2026-04-18-windows-task-host-cve-2025-60710-cisa-kev/https://cipherwatch.io/articles/2026-04-18-windows-task-host-cve-2025-60710-cisa-kev/A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited — CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.Sat, 18 Apr 2026 00:00:00 GMTprivilege-escalationwindowscisa-kevlocal-exploitlpewindows-server-2025https://cipherwatch.io/articles/2026-04-17-windows-ad-cve-2026-33826-rpc-rce/https://cipherwatch.io/articles/2026-04-17-windows-ad-cve-2026-33826-rpc-rce/A critical remote code execution flaw in Windows Active Directory allows any authenticated domain user to execute arbitrary code on domain controllers and other AD-joined servers by sending specially crafted RPC calls. Rated CVSS 8.0 and assessed by Microsoft as 'Exploitation More Likely', CVE-2026-33826 poses a serious lateral-movement and domain-compromise risk for every Windows Server environment. The April 2026 Patch Tuesday update provides the only full remediation.Fri, 17 Apr 2026 00:00:00 GMTcve-2026-33826active-directorywindows-serverrcerpcpatch-tuesdayhttps://cipherwatch.io/articles/2026-04-16-windows-rdp-file-protection-apt29-phishing/https://cipherwatch.io/articles/2026-04-16-windows-rdp-file-protection-apt29-phishing/The April 2026 Windows update introduces mandatory security warnings and redirections-blocked-by-default for RDP connection files, directly countering the technique used by APT29 and other threat actors to silently redirect local drives and harvest credentials. Organisations using Windows 10 and 11 should confirm the KB is deployed.Thu, 16 Apr 2026 00:00:00 GMTrdpwindowsphishingapt29remote-desktopmicrosoftaccess-controlcredential-theftpatch-tuesdayhttps://cipherwatch.io/articles/2026-04-13-w3ll-phishing-kit-fbi-indonesia-takedown/https://cipherwatch.io/articles/2026-04-13-w3ll-phishing-kit-fbi-indonesia-takedown/The FBI Atlanta Field Office and Indonesia's National Police have dismantled the W3LL phishing-as-a-service platform, arresting its alleged developer and seizing domains used in a global credential-theft and MFA-bypass operation. W3LL targeted over 17,000 victims in Microsoft 365 environments, capturing not just passwords but session tokens that allowed attackers to bypass multi-factor authentication.Mon, 13 Apr 2026 00:00:00 GMTphishingmfa-bypassmicrosoft-365adversary-in-the-middlelaw-enforcementcredential-theftsession-hijackinghttps://cipherwatch.io/articles/2026-04-10-device-code-phishing-mfa-bypass/https://cipherwatch.io/articles/2026-04-10-device-code-phishing-mfa-bypass/A sophisticated phishing campaign is abusing the OAuth device authorisation flow to hijack Microsoft 365 access tokens while victims complete entirely genuine MFA challenges. Hundreds of organisations have been compromised. FIDO2 passkeys block this attack; push notifications, TOTP, and SMS codes do not. Organisations should block the device code grant in Conditional Access immediately.Fri, 10 Apr 2026 00:00:00 GMTphishingmfa-bypassoauthdevice-code-flowmicrosoft-365identityaccess-tokenfido2entra-idai-phishinghttps://cipherwatch.io/articles/2026-04-09-fortinet-forticlient-ems-cve-2026-35616-exploited/https://cipherwatch.io/articles/2026-04-09-fortinet-forticlient-ems-cve-2026-35616-exploited/A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.Thu, 09 Apr 2026 00:00:00 GMTfortinetforticlientemszero-daypre-authprivilege-escalationcisa-kevendpoint-securityhttps://cipherwatch.io/articles/2026-04-09-windows-kerberos-rc4-enforcement-cve-2026-20833/https://cipherwatch.io/articles/2026-04-09-windows-kerberos-rc4-enforcement-cve-2026-20833/Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.Thu, 09 Apr 2026 00:00:00 GMTmicrosoftactive-directorykerberosrc4aeswindows-serverdomain-controllercve-2026-20833authenticationhttps://cipherwatch.io/articles/2026-04-04-kerberos-cve-2026-24297-security-feature-bypass/https://cipherwatch.io/articles/2026-04-04-kerberos-cve-2026-24297-security-feature-bypass/CVE-2026-24297 is a security feature bypass in the Windows Kerberos implementation caused by a race condition that can be triggered remotely without credentials or user interaction. Patched in the March 2026 Patch Tuesday, the vulnerability allows an attacker with network access to a Kerberos-speaking service to bypass security validation in the authentication flow. No active exploitation has been confirmed but the attack vector requires no credentials, increasing urgency.Sat, 04 Apr 2026 00:00:00 GMTkerberoswindowscve-2026-24297authenticationrace-conditionsecurity-bypasspatch-tuesdayhttps://cipherwatch.io/articles/2026-04-01-active-directory-cve-2026-25177-privilege-escalation/https://cipherwatch.io/articles/2026-04-01-active-directory-cve-2026-25177-privilege-escalation/CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.Wed, 01 Apr 2026 00:00:00 GMTactive-directoryprivilege-escalationcve-2026-25177microsoftkerberoscisa-kevpatch-tuesday