"I Didn't Know I Had These Problems": The Reality of AD Vulnerability Assessments

POST BY
PUBLISHED
July, 17, 2026

Organizations tend to think their Active Directory implementation is secure since systems have been patched, passwords have been changed, and all the necessary security configurations have been implemented. Nevertheless, thorough vulnerability testing will reveal many misconfigured aspects of this infrastructure that have not been seen by companies for several years already.

This may pose a serious threat to identity infrastructure and result in privilege escalation and unauthorized access. For instance, one common problem here is CVE-2022-26923, which still affects many organizations. Active Directory assessment is not limited to basic patch testing but allows revealing configuration problems and other issues.

KEY TAKEAWAYS

  • CVE-2022-26923 is still an important Active Directory privilege escalation vulnerability.
  • Vulnerability assessments reveal underlying vulnerabilities that maintenance overlooks.
  • Monitoring and reviewing configurations enhance Active Directory security.
  • Assessments contribute to decreased cyber threats and improved resilience.

What CVE-2022-26923 Actually Does

The CVE-2022-26923 bug is an Active Directory privilege escalation vulnerability that exists in the AD CS platform. In May 2022, Microsoft disclosed it as part of a broader set of findings, often referred to in security research circles as “Certified Pre-Owned,” which examined how certificate-based authentication in AD CS could be abused.

At its core, the vulnerability stems from how AD CS maps issued certificates back to Active Directory accounts. An authenticated user who has permission to modify certain attributes on a computer or user object they control, such as the dNSHostName attribute, can manipulate that mapping. By altering the attribute to match a different, more privileged account, a lower-privileged user can request a certificate that ends up mapping to that higher-privileged identity. Consequently, the hacker will be able to act by authenticating as if he were logged on to that more privileged account, in the worst-case scenario, as a domain administrator.

What makes CVE-2022-26923 dangerous isn’t the complexity of exploitation. It’s the opposite. The technique doesn’t require exotic tools or deep technical sophistication once the misconfiguration is understood, which is part of why it remains a frequent target in penetration tests and red team engagements.

Why This Keeps Showing Up in Assessments

Many organizations make the mistake of assuming that with a patch in place, there’s no risk anymore. However, this does not apply in this case. Microsoft’s May 2022 update addressed part of the underlying issue, but full protection also depends on configuration changes that many environments never implement, such as enabling strong certificate mapping enforcement. Left in a default or partially patched state, systems remain exposed to the same underlying logic flaw.

A few reasons this vulnerability continues to appear during audits:

  • AD CS is often deployed once and forgotten. Certificate services get set up during initial domain build-out and rarely receive ongoing review.
  • Attribute permissions are inherited incorrectly. Many environments grant broader write access to computer or user attributes than intended, often as a byproduct of delegated administration models set up years earlier.
  • Patch compliance is not the same as configuration compliance. Teams confirm patches were installed but don’t verify that certificate mapping enforcement settings were actually changed.
  • Legacy compatibility concerns delay hardening. Some organizations postpone enabling strict enforcement because older applications or devices rely on the weaker mapping behavior.
  • Visibility into AD CS is limited. Certificate services don’t get the same monitoring attention as domain controllers or endpoint security tools, so misconfigurations go unnoticed.

This is where the “I didn’t know I had these problems” reaction becomes common. Administrators often know their patch levels are current. What they don’t know is whether the supporting configuration was ever finished.

What an Assessment Actually Involves

A proper AD vulnerability assessment doesn’t stop at checking whether patches were applied. Reviewers typically walk through certificate template permissions, attribute-level access controls, and the specific registry and group policy settings tied to strong certificate mapping. In the case of the CVE-2022-26923 Active Directory vulnerability, the focus should be on identifying if a low-privileged authenticated user can manipulate attributes of their own object to impersonate.

During many engagements, the process eventually shifts from documentation review to controlled technical testing. Here is when testers become able to witness the CVE-2022-26923 active directory vulnerability demonstrated in practice rather than merely described in a report. Observing how a low-privileged account can manipulate certificate-based authentication to impersonate a domain controller often communicates the severity of the exposure more clearly than a written summary alone. 

Assessors typically also check for:

  1. Whether AD CS servers are running outdated or unpatched Windows Server builds.
  2. Whether the KB5014754 update (the patch addressing this and related certificate mapping issues) has been applied and configured correctly, not just installed.
  3. Whether certificate templates allow enrollee-supplied subject names, which can compound the risk.
  4. Whether audit logging on certificate issuance is enabled and monitored.

The Gap Between Awareness and Action

As per the mitigation guidelines issued by Microsoft following the disclosure, complete mitigation needs to be done in phases, starting from applying the initial patch to monitoring any compatibility issues, after which full enforcement of strong certificate mapping will be done. Many organizations completed the first step and stalled before the third. Research from the broader security community, including analyses published by penetration testing firms in the years since disclosure, has consistently found AD CS misconfigurations, including exposure tied to CVE-2022-26923, among the most frequently identified privilege escalation paths in internal network assessments.

This is the gap between “patched” and “properly configured”. It is not because the organisation ignored the vulnerability but because mitigating the same required more coordination across identity, infrastructure, and application teams than a single update could provide.

What We’ve Learned

Vulnerability assessments involving CVE-2022-26923 tend to reveal something much more than a single technical flaw. They display how easily a partially completed remediation can leave an organization with a false sense of security. Patch management, while necessary, isn’t adequate on its own when a vulnerability relies on configuration changes that go beyond installing an update.

For organizations that haven’t changed their AD CS configuration since 2022, it’s worth treating this as an open question rather than a closed one.

The most reliable way to know whether this exposure still exists is direct testing, not assumption. As many administrators realize during their first thorough assessment, the absence of a reported incident doesn’t mean the negation of risk.

FAQs

What does CVE-2022-26923 mean?

CVE-2022-26923 refers to a vulnerability in which the risk manifests as privilege escalation in an Active Directory Certificate Services (AD CS) system through which an attacker can exploit certificate-based authentication when impersonating a high-privilege identity, including a domain admin.

Why do some environments stay vulnerable even after applying the Microsoft patch?

Applying the patch alone does not solve the problem, as it is important to apply a complete configuration fix. This way, any enforcement relating to strong certificate mapping should be explicitly enabled in the registry or through group policies.

What certain attribute is being modified to take advantage of this vulnerability?

Attackers are most likely to work on object attributes, which they control, most frequently the dNSHostName attribute, turning it into something identical to a more privileged account.

Why do some organizations refrain from taking any actions to protect from this flaw?

Infrastructure teams may be concerned about applying rigorous enforcement stages due to concerns with some legacy devices or applications and cooperation with some older certificate mapping models.

How do security teams find out whether they are vulnerable?

Active Directory vulnerability assessment cannot be undertaken without permission audits, checking bugs in the KB5014754 update, and executing appropriate tests.




Related Posts