This post provides attack flow of CVE-2022-26923 exploitation in ADCS and AD Servers.

CVE-2022-26923 Exploitation in ADCS and AD Server

A privilege escalation vulnerability for AD CS and Active Directory (AD) was reported to Microsoft and tracked with a CVE number (CVE-2022-26923).

Threat Actor (TA) after gaining a low privileged access to the domain environment, TA can create a computer object and modify dNSHostName attribute of the newly created computer AD object to refer a privileged object such as Domain Controller. Later at will, TA can request certificate for the published template configured with SubjectAltRequireDNS flag for the computer object. TA with Domain Controller’s certificate can extract password hash for the user account of their interest.

Microsoft released a patch in May 2022(KB5014754) to mitigate this vulnerability.

Attack flow of this exploitation

CVE202226923