CVE-2026-20929 enables Kerberos relay via DNS CNAME manipulation to obtain fraudulent certificates from Active Directory Certificate Services web enrollment endpoints, bypassing NTLM-blocking controls that many organizations treat as sufficient relay defense. A public proof-of-concept is available. Any Windows Server environment running AD CS web enrollment that has not applied the January 2026 Patch Tuesday update is at operational risk of privileged certificate issuance abuse and downstream pass-the-ticket lateral movement.