Full Report
Microsoft has fixed a known issue causing authentication problems when Credential Guard is enabled on systems using the Kerberos PKINIT pre-auth security protocol. [...]
Analysis Summary
# Vulnerability: Windows Kerberos Password Rotation Failure Leading to Authentication Issues
## CVE Details
- CVE ID: Not explicitly provided in the summary text (This appears to be a known issue addressed via cumulative updates rather than a publicly disclosed CVE being detailed here).
- CVSS Score: N/A (No specific score mentioned)
- CWE: N/A
## Affected Systems
- Products: Windows 11 (Version 24H2), Windows Server 2025
- Versions: Applicable versions as described in the security updates for Windows 11 24H2 and Windows Server 2025. The issue is unlikely to affect Windows Home editions.
- Configurations: Environments where Kerberos authentication is heavily utilized (typically enterprise environments).
## Vulnerability Description
The vulnerability stems from a failure in the automatic rotation of machine account passwords (which occurs every 30 days by default). This failure causes devices to be incorrectly perceived as stale, disabled, or deleted within the system, resulting in user authentication failures involving Kerberos.
## Exploitation
- Status: This appears to be a functional bug/issue rather than an actively exploited vulnerability being tracked, although the context mentions other exploited flaws in the same patch cycle. No specific exploitation status provided for this authentication failure itself.
- Complexity: Low (It is a systemic failure triggered by a recurring process).
- Attack Vector: Likely Network/Authentication based, impacting domain services.
## Impact
- Confidentiality: Potential impact if authentication failures cascade, though direct data exposure from this specific failure is not detailed.
- Integrity: High potential impact on system integrity if users/services cannot authenticate correctly.
- Availability: High potential impact on availability due to widespread user authentication failures in enterprise environments.
## Remediation
### Patches
- **Windows 11 24H2:** Fixed in the April 2025 security update (KB5055523, OS Build 26100.3775).
- **Windows Server 2025:** Fixed in the April 2025 security update (KB5055523, OS Build 26100.3775).
**Recommendation:** Install the latest cumulative update for the respective operating system.
### Workarounds
- Microsoft temporarily disabled Machine Accounts in Credential Guard, a feature reliant on Kerberos password rotation, pending a permanent fix (though the patch is now available).
## Detection
- **Indicators of Compromise:** User reports of sporadic or widespread Kerberos authentication failures, perceived account lockouts, or device being flagged as stale/disabled in Active Directory/domain context.
- **Detection Methods and Tools:** Monitoring Active Directory health, Kerberos event logs for repeated authentication failures related to machine accounts, and checking security event IDs related to Kerberos tickets.
## References
- Vendor Advisory (Windows release health dashboard): hxxps://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3517msgdesc
- Patch Link (Windows 11 24H2): hxxps://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb
- Patch Link (Windows Server 2025): hxxps://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-348facce-4988-4c6a-8cb9-50cab59fd385