Immediate Action: Enforce PAC Validation for CVE-2024-26248 & CVE-2024-29056

Originally posted by Microsoft Apr 9, 2025 Uncategorized 0 Comments

Last year, Windows updates released on and after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol.

Starting today, the Enforcement phase of deployment begins. After installing the April 2025 Windows security update and later updates on all Windows domain controllers and Windows clients, support for Compatibility mode will be removed, and the new secure behavior will be enabled by default. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.
When will this happen?
The Enforcement phase starts today with the release of the April 2025 Windows security update.
How will this affect your organization?
To mitigate the risks described in CVE-2024-26248 and CVE-2024-29056, you must update your entire Windows environment. This must include all Windows domain controllers and Windows clients. Environments that are not up to date will not recognize the new request structure and security checks will fail.
 
What do you need to do to prepare?
Additional information:
Install the April 2025 Windows security update on all Windows domain controllers and Windows clients. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.

Message ID: MC1050817

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: