Skip to main content

PoC Exploit for Active Directory Certificate Services Vulnerability (CVE-2022-26923) Creates Path to Domain Admin

Background on CVE-2022-26923

On Tuesday, May 10, 2022, security researcher Oliver Lyak published a PoC exploit for CVE- 2022-26923, a privilege escalation vulnerability impacting Active Directory Domain Services with a CVSS score of 8.8 and high severity. The vulnerability allows a threat actor who has already compromised a user account to elevate privileges to Domain Admin, if Active Directory Certificates Services is running on the domain. Microsoft patched the vulnerability in May’s Patch Tuesday release.

Note: This is not a remotely exploitable vulnerability, a threat actor must have prior access to exploit the vulnerabilities.

Based on the publicly available PoC exploit and the ease of exploitation, Arctic Wolf strongly recommends you patch the affected Active Directory environments immediately.

Recommendations

Recommendation #1: Patch Vulnerable Versions of Microsoft Active Directory Domain Services

Our primary recommendation is to patch vulnerable versions of Active Directory Domain Services, if you are running Active Directory Certificate Services on your domain.

If you have installed the May 2022 Patch Tuesday security updates no further action is warranted.

Security updates and applicable Knowledge Base articles are available here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923

References

About the Author

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

Profile Photo of Sule Tatar