CVE-2022-26923 Overview
CVE-2022-26923 is an elevation of privilege vulnerability in Active Directory Domain Services (AD DS). A low-privileged authenticated domain user can manipulate computer account attributes to obtain a certificate from Active Directory Certificate Services (AD CS) that authenticates as a Domain Controller. The flaw stems from improper certificate validation [CWE-295] during the AD CS enrollment process. Successful exploitation grants Domain Admin equivalent privileges across the forest. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and carries an EPSS probability of 91.44% (99.676 percentile), indicating active exploitation interest.
Critical Impact
Any authenticated domain user can escalate to Domain Administrator by abusing certificate-based authentication against Active Directory Certificate Services.
Affected Products
- Microsoft Windows Server 2012 R2, 2016, 2019, and 2022 (Domain Controllers)
- Microsoft Windows 10 (versions 1507, 1607, 1809, 1909, 20H2, 21H1, 21H2) and Windows 11 21H2
- Microsoft Windows 8.1 and Windows RT 8.1
Discovery Timeline
- 2022-05-10 - CVE-2022-26923 published to the National Vulnerability Database
- 2022-05-10 - Microsoft releases security update addressing the flaw
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2022-26923
Vulnerability Analysis
The vulnerability resides in how Active Directory Certificate Services binds certificate requests to computer accounts during enrollment. By default, any authenticated user can create up to ten computer accounts in the domain via the ms-DS-MachineAccountQuota attribute. AD CS templates such as Machine and Domain Controller use the dNSHostName attribute on the computer object to map a certificate to its identity. An attacker can create a computer account, set its dNSHostName to match a Domain Controller, and request a certificate that the Key Distribution Center (KDC) then accepts for Kerberos PKINIT authentication as that Domain Controller.
Root Cause
The weakness is an improper certificate validation issue [CWE-295]. The KDC trusts the dNSHostName value embedded in the certificate without strongly binding it to the originating Security Identifier (SID) of the requesting account. Because writeable attributes on user-created machine objects determine certificate identity, the trust relationship between certificate subject and computer object can be subverted.
Attack Vector
Exploitation requires only valid domain credentials and network access to the domain controller and certificate authority. The typical attack chain proceeds as follows: the attacker creates a new computer account using their existing credentials, clears the servicePrincipalName attribute on the new object to avoid conflicts, sets the dNSHostName attribute to match an existing Domain Controller's FQDN, requests a machine certificate from AD CS using the manipulated identity, and authenticates via Kerberos PKINIT using the certificate to receive a Ticket Granting Ticket as the Domain Controller. Public tooling such as Certipy and Certifry automates this sequence. The technique closely overlaps with the ESC9 and ESC10 certificate template abuse classes documented by SpecterOps.
No verified exploit code is reproduced here. See the Microsoft Security Advisory CVE-2022-26923 for vendor technical details.
Detection Methods for CVE-2022-26923
Indicators of Compromise
- Creation of new computer accounts followed shortly by certificate enrollment requests from the same principal, especially against the Machine or Domain Controller templates
- Modifications to the dNSHostName attribute on computer objects that match existing Domain Controller hostnames
- Kerberos PKINIT authentication events (Event ID 4768) where the certificate subject does not align with the historical account identity
- AD CS certificate issuance events (Event ID 4886/4887) for machine templates requested by standard user principals
Detection Strategies
- Monitor Active Directory for changes to dNSHostName and servicePrincipalName attributes on computer objects, particularly those created by non-administrative users
- Audit certificate enrollment logs on Enterprise Certificate Authorities for requests where the subject alternative name conflicts with privileged hosts
- Correlate computer account creation events (Event ID 4741) with subsequent certificate-based Kerberos authentications
Monitoring Recommendations
- Reduce ms-DS-MachineAccountQuota to zero for non-administrative users and alert on any deviations
- Enable AD CS auditing and forward CertificateServicesClient-Lifecycle-System and CA issuance logs to a centralized SIEM
- Baseline normal certificate enrollment patterns and alert on machine certificate requests originating from interactive user sessions
How to Mitigate CVE-2022-26923
Immediate Actions Required
- Apply the May 2022 Microsoft security updates to all Domain Controllers and Certificate Authority servers in the forest
- Set ms-DS-MachineAccountQuota to 0 for standard users to prevent unauthorized computer account creation
- Audit existing machine accounts and certificate templates for prior abuse before patching
- Enable Full Enforcement mode for strong certificate mapping once all systems are updated
Patch Information
Microsoft addressed the vulnerability in the May 10, 2022 Patch Tuesday release. The fix introduces a new szOID_NTDS_CA_SECURITY_EXT certificate extension that embeds the requesting account's SID into issued certificates. Domain Controllers validate this SID extension against the authenticating account, breaking the dNSHostName spoofing chain. Deployment follows a phased compatibility model documented in KB5014754, progressing from Compatibility mode to Full Enforcement. Refer to the Microsoft Update Guide CVE-2022-26923 for the full patch catalog.
Workarounds
- Remove vulnerable certificate templates such as Machine and Domain Controller from the CA if not strictly required
- Require CA Manager approval for machine certificate issuance to introduce a manual review checkpoint
- Restrict enrollment permissions on AD CS templates to specific security groups rather than Domain Computers or Authenticated Users
- Remove the Client Authentication Extended Key Usage from templates that do not need it to prevent Kerberos PKINIT abuse
# Reduce MachineAccountQuota to prevent unprivileged computer account creation
Set-ADDomain -Identity (Get-ADDomain) -Replace @{"ms-DS-MachineAccountQuota"="0"}
# Enable Full Enforcement mode for strong certificate mapping (post-patch)
# HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement = 2
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" `
-Name "StrongCertificateBindingEnforcement" -Value 2 -PropertyType DWord -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
