PoC Exploit for Active Directory Certificate Services Vulnerability (CVE-2022-26923) Creates Path to Domain Admin

Share :

Background on CVE-2022-26923

On Tuesday, May 10, 2022, security researcher Oliver Lyak published a PoC exploit for CVE- 2022-26923, a privilege escalation vulnerability impacting Active Directory Domain Services with a CVSS score of 8.8 and high severity. The vulnerability allows a threat actor who has already compromised a user account to elevate privileges to Domain Admin, if Active Directory Certificates Services is running on the domain. Microsoft patched the vulnerability in May’s Patch Tuesday release.

Note: This is not a remotely exploitable vulnerability, a threat actor must have prior access to exploit the vulnerabilities.

Based on the publicly available PoC exploit and the ease of exploitation, Arctic Wolf strongly recommends you patch the affected Active Directory environments immediately.

Recommendations for CVE-2022-26923

Recommendation #1: Patch Vulnerable Versions of Microsoft Active Directory Domain Services

Our primary recommendation is to patch vulnerable versions of Active Directory Domain Services, if you are running Active Directory Certificate Services on your domain.

If you have installed the May 2022 Patch Tuesday security updates no further action is warranted.

Security updates and applicable Knowledge Base articles are available here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923


Picture of Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Subscribe to our Monthly Newsletter