This post is also available in:
עברית (Hebrew)
A recently uncovered vulnerability in IPv6 could leave Windows networks exposed to attackers, even when the protocol is not actively in use. Security experts warn that this dormant feature, enabled by default, could serve as a backdoor for malicious actors, potentially leading to a complete domain takeover.
Though IPv6 adoption remains limited in many networks, it is still enabled by default on Windows systems, often prioritized over the older IPv4 protocol. If left unchecked, this could create a significant security risk. Researchers have pointed out that hackers could exploit this feature to gain control over a network, leveraging it as a stepping stone to compromise a domain.
The attack begins when an attacker gains access to a single device, which could be anything from a laptop to an IoT device. With minimal effort, the attacker can configure this device as a rogue DNS or DHCP server, tricking Windows systems into trusting it for network configurations. Since Windows machines by default request configurations from IPv6 servers, the malicious device can direct the system to malicious websites, intercept login credentials, and even hijack network traffic.
Researchers from cybersecurity firm Resecurity have described how an attacker can escalate from basic access to full Domain Admin privileges in just a few minutes. By combining rogue DHCPv6 responses with DNS poisoning and relay attacks, attackers can silently move from unauthenticated access to total network control.
The attack, referred to as the “MITM6 + NTLM Relay” method, is particularly dangerous in environments using Active Directory, as it allows attackers to impersonate privileged users and gain full access to sensitive resources.
To mitigate this risk, security experts advise disabling IPv6 entirely if it is not needed. Additionally, network defenses should include tools like RA Guard and DHCPv6 Guard, which block unauthorized IPv6 configurations. Proper hardening of Active Directory, along with active monitoring, can further reduce the chances of exploitation.
As security threats evolve, organizations must ensure their network configurations are secure and actively managed to prevent such attacks from occurring.
