Background on CVE-2022-26923
On Tuesday, 10 May 2022, security researcher Oliver Lyak published a PoC exploit for CVE- 2022-26923, a privilege escalation vulnerability impacting Active Directory Domain Services with a CVSS score of 8.8 and high severity. The vulnerability allows a threat actor who has already compromised a user account to elevate privileges to Domain Admin, if Active Directory Certificates Services is running on the domain. Microsoft patched the vulnerability in May’s Patch Tuesday release.
Note: This is not a remotely exploitable vulnerability, a threat actor must have prior access to exploit the vulnerabilities.
Based on the publicly available PoC exploit and the ease of exploitation, Arctic Wolf strongly recommends you patch the affected Active Directory environments immediately.
Recommendation #1: Patch Vulnerable Versions of Microsoft Active Directory Domain Services
Our primary recommendation is to patch vulnerable versions of Active Directory Domain Services, if you are running Active Directory Certificate Services on your domain.
If you have installed the May 2022 Patch Tuesday security updates no further action is warranted.
Security updates and applicable Knowledge Base articles are available here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923