CVE-2022-26923 Overview
CVE-2022-26923 is a critical elevation of privilege vulnerability affecting Active Directory Domain Services (AD DS) in Microsoft Windows environments. This vulnerability allows an authenticated attacker to manipulate attributes on computer accounts they own or manage, potentially impersonating a Domain Controller and obtaining a certificate that grants domain administrator privileges. The flaw exists in how Active Directory Certificate Services (AD CS) handles certificate enrollment requests from machine accounts.
Critical Impact
Authenticated attackers can escalate privileges to domain administrator level by exploiting certificate enrollment weaknesses in Active Directory environments. This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- May 10, 2022 - CVE-2022-26923 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2022-26923
Vulnerability Analysis
This vulnerability, commonly referred to as "Certifried," exploits a weakness in how Active Directory Certificate Services validates certificate requests from computer accounts. The root issue lies in the certificate template's reliance on the dNSHostName attribute of computer objects for identity verification during certificate enrollment.
An authenticated user with the ability to create or modify computer accounts (by default, any domain user can join up to 10 machines to the domain) can manipulate the dNSHostName and servicePrincipalName (SPN) attributes of a computer account they control. By setting the dNSHostName to match a Domain Controller's hostname, an attacker can request a certificate that effectively impersonates the DC.
The vulnerability is classified under CWE-295 (Improper Certificate Validation), as the certificate enrollment process fails to adequately verify that the requesting entity legitimately owns the identity it claims.
Root Cause
The fundamental issue stems from insufficient validation during certificate enrollment in Active Directory Certificate Services. When a computer account requests a certificate using a template that specifies the Subject Alternative Name (SAN) based on the dNSHostName attribute, AD CS does not verify that the requesting machine actually owns that DNS name. This allows an attacker-controlled computer object with a spoofed dNSHostName attribute to obtain a certificate containing the identity of another machine, including Domain Controllers.
Attack Vector
The attack follows a network-based exploitation path requiring low-privilege authenticated access. The attacker must have credentials for a domain user account with the ability to create or manage computer objects. The attack flow typically involves:
- Creating a new machine account or taking control of an existing one
- Modifying the dNSHostName attribute to match a target Domain Controller
- Requesting a certificate from AD CS using a vulnerable certificate template
- Using the obtained certificate to authenticate as the impersonated Domain Controller
- Leveraging DC privileges to perform DCSync or other domain compromise techniques
The attack exploits the default Active Directory configuration where standard users can add computers to the domain (controlled by the ms-DS-MachineAccountQuota attribute, default value of 10).
Detection Methods for CVE-2022-26923
Indicators of Compromise
- Unexpected modifications to dNSHostName or servicePrincipalName attributes on computer objects
- Certificate enrollment requests from machine accounts with DNS names that don't match their normal naming convention
- Authentication events using certificates with mismatched subject names and requesting account identities
- Anomalous LDAP modification operations targeting computer object attributes
Detection Strategies
- Monitor Windows Security Event ID 4742 (Computer account was changed) for modifications to dNSHostName attributes
- Enable auditing on AD CS and monitor Event ID 4887 (Certificate Services approved a certificate request) for suspicious patterns
- Implement alerts for certificate requests where the Subject Alternative Name contains Domain Controller hostnames from non-DC machine accounts
- Use SentinelOne Singularity XDR to detect post-exploitation activities such as DCSync operations or Pass-the-Certificate attacks
Monitoring Recommendations
- Enable advanced auditing on Active Directory Certificate Services to log all certificate enrollment activities
- Configure alerts for computer object attribute modifications, particularly dNSHostName and servicePrincipalName changes
- Deploy endpoint detection on Domain Controllers to identify unauthorized Kerberos authentication using machine certificates
- Monitor for Certipy, Rubeus, or similar tooling usage that automates this attack chain
How to Mitigate CVE-2022-26923
Immediate Actions Required
- Apply the May 2022 Microsoft security updates to all affected Windows systems, prioritizing Domain Controllers and CA servers
- Review and restrict certificate templates that allow enrollment based on dNSHostName without strong validation
- Set the ms-DS-MachineAccountQuota attribute to 0 to prevent standard users from adding computer accounts to the domain
- Audit existing computer objects for suspicious dNSHostName values that match Domain Controllers
Patch Information
Microsoft released security updates addressing this vulnerability as part of the May 2022 Patch Tuesday release. The patches introduce additional validation checks during certificate enrollment to verify the requesting entity's ownership of the claimed identity. Organizations should obtain the appropriate updates from the Microsoft Security Update Guide for their specific Windows versions.
Post-patch, Microsoft implemented a compatibility mode that logs warnings before enforcing strict validation. Organizations should monitor for Event ID 39 in the AD CS logs, which indicates attempted exploitation or misconfigured systems that would break after full enforcement mode is enabled.
Workarounds
- Disable certificate templates that allow enrollment based on machine dNSHostName attributes until patches can be applied
- Restrict the ability to create computer accounts by setting ms-DS-MachineAccountQuota to 0 and delegating this permission only to trusted administrators
- Implement strong access controls on certificate templates, requiring Certificate Manager approval for sensitive templates
- Use Protected Users security group for privileged accounts to limit credential exposure
# PowerShell command to set ms-DS-MachineAccountQuota to 0
Set-ADDomain -Identity "DC=domain,DC=com" -Replace @{"ms-DS-MachineAccountQuota"="0"}
# Verify the setting
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota | Select-Object ms-DS-MachineAccountQuota
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
