CVE-2025-60704

Опубликовано: 11 нояб. 2025

Источник: msrc

CVSS3: 7.5

EPSS Низкий

Описание

Windows Kerberos Elevation of Privilege Vulnerability

Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network.

FAQ

How could an attacker exploit this vulnerability?

When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk. In one such scenario for this vulnerability, the attacker could convince a victim to connect to an attacker controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.

According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?

An unauthorized attacker must wait for a user to initiate a connection.

Обновления

Продукт	Статья	Обновление
Windows Server 2008 for 32-bit Systems Service Pack 2	5068906 5068909	Monthly Rollup Security Only
Windows Server 2008 for x64-based Systems Service Pack 2	5068906 5068909	Monthly Rollup Security Only
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)	5068906 5068909	Monthly Rollup Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)	5068904 5068908	Monthly Rollup Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1	5068904 5068908	Monthly Rollup Security Only
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)	5068906 5068909	Monthly Rollup Security Only
Windows Server 2012	5068907	Monthly Rollup
Windows Server 2012 (Server Core installation)	5068907	Monthly Rollup
Windows Server 2012 R2	5068905	Monthly Rollup
Windows Server 2012 R2 (Server Core installation)	5068905	Monthly Rollup

Показывать по

Возможность эксплуатации

Publicly Disclosed

Exploited

Latest Software Release

Exploitation Less Likely

EPSS

Процентиль: 16%

0.00052

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2025-60704

CVSS3: 7.5

nvd

2 дня назад

Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network.

GHSA-9pv8-qfvr-2qxm

CVSS3: 7.5

github

2 дня назад

Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network.

EPSS

Процентиль: 16%

0.00052

Низкий

7.5 High

CVSS3