CVE-2025-60704 identifies a critical cryptographic vulnerability in Microsoft Windows 10 Version 1607 (build 10.0.14393.0) affecting the Kerberos authentication protocol. The issue stems from a missing cryptographic step during the Kerberos ticket validation or processing, classified under CWE-325 (Missing Cryptographic Step). This flaw allows an attacker on the network to perform privilege escalation without requiring prior authentication, by exploiting the weakened cryptographic validation to forge or manipulate Kerberos tickets. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized access to sensitive resources and potentially disrupting system operations. The CVSS 3.1 score of 7.5 reflects a high severity with network attack vector, high attack complexity, no privileges required, and user interaction needed. The scope is unchanged, meaning the vulnerability affects only the vulnerable component without extending beyond it. Currently, no public exploits or proof-of-concept code have been reported, but the risk remains significant due to the critical nature of Kerberos in Windows domain environments. The lack of a patch at the time of disclosure necessitates immediate mitigation through network segmentation, monitoring, and restricting Kerberos traffic to trusted hosts. Organizations running Windows 10 Version 1607, especially in enterprise and government sectors, should prioritize remediation planning to prevent exploitation.

The vulnerability enables unauthorized attackers to elevate privileges remotely over the network, potentially gaining administrative or system-level access. This can lead to unauthorized disclosure of sensitive information, modification or destruction of data, and disruption of critical services. Since Kerberos is widely used for authentication in Windows domain environments, exploitation could compromise entire Active Directory infrastructures, affecting user accounts, access controls, and security policies. The impact is particularly severe for organizations relying on legacy Windows 10 Version 1607 systems that may no longer receive regular security updates. Attackers exploiting this flaw could move laterally within networks, escalate privileges, and establish persistent footholds, increasing the risk of data breaches, ransomware deployment, and operational downtime. The requirement for user interaction and high attack complexity somewhat limits mass exploitation but does not eliminate targeted attacks against high-value targets.

1. Apply official security patches from Microsoft as soon as they become available for Windows 10 Version 1607. 2. If patching is not immediately possible, restrict Kerberos traffic (TCP/UDP port 88) to trusted hosts and network segments using firewalls and network access controls. 3. Implement network segmentation to isolate legacy systems from critical infrastructure and sensitive data stores. 4. Monitor network traffic for anomalous Kerberos ticket requests or unusual authentication patterns using intrusion detection/prevention systems and Security Information and Event Management (SIEM) tools. 5. Enforce multi-factor authentication (MFA) where possible to reduce the impact of compromised credentials. 6. Plan and execute an upgrade strategy to move off Windows 10 Version 1607 to supported, updated Windows versions to reduce exposure to legacy vulnerabilities. 7. Educate users about phishing and social engineering risks, as user interaction is required for exploitation. 8. Regularly audit Active Directory and Kerberos configurations to detect and remediate weak or misconfigured settings.