CVE REFERENCE | HIGH SEVERITY
Active ThreatUpdated 10 min read

CVE-2022-26923: Certifried, AD Certificate Services Domain Privilege Escalation

How a missing validation check in Active Directory Certificate Services allowed any domain user to request a certificate that impersonates a Domain Controller, and use it to obtain domain admin-level Kerberos access

8.8
CVSS Score
Domain Admin
Resulting privilege
AD CS
Vulnerable component
May 2022
Patch date

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2022-26923, named Certifried by discoverer Oliver Lyak, is a privilege escalation vulnerability in Active Directory Certificate Services (AD CS) patched in May 2022. The flaw allows a domain user who can create or modify machine accounts to request a certificate that AD CS incorrectly associates with a Domain Controller, then use that certificate to authenticate to the KDC via Kerberos PKINIT and receive a domain admin-equivalent TGT, a complete Active Directory privilege escalation that requires no special permissions beyond a standard domain account.

Technical Root Cause: dNSHostName Attribute Manipulation

When a user or machine authenticates using a certificate (Kerberos PKINIT), the KDC identifies the account associated with the certificate using the Subject Alternative Name (SAN). The SAN in machine certificates typically contains the DNS host name of the machine (e.g., workstation01.corp.example.com).

AD CS validates that the SAN in a certificate request matches the machine's dNSHostName attribute in Active Directory. The vulnerability: there is no validation preventing a domain user from setting their machine account's dNSHostName to match a Domain Controller's DNS name.

Exploit steps:

  1. Attacker creates a machine account (using MachineAccountQuota) or controls an existing one
  2. Attacker modifies the dNSHostName attribute of their machine account to dc01.corp.example.com (matching the real DC)
  3. Attacker requests a certificate from AD CS for their machine account using the Machine/Computer certificate template
  4. AD CS issues a certificate with the SAN set to dc01.corp.example.com, impersonating the DC
  5. Attacker uses the certificate for Kerberos PKINIT authentication
  6. The KDC finds the account mapped to dc01.corp.example.com, the real Domain Controller, and issues a TGT for that DC account

Why AD CS Makes This Dangerous

Active Directory Certificate Services is a widely deployed PKI solution in enterprise environments, but its integration with Active Directory authentication creates significant attack surface. Certifried is part of a broader class of AD CS attacks (ESC1–ESC13, documented by SpecterOps in 'Certified Pre-Owned') that exploit the trust relationship between certificate enrollment and Kerberos authentication.

The specific risk of Certifried compared to other AD CS attacks: it requires no special certificate template misconfigurations. The default Machine or Computer certificate template, present in nearly every AD CS deployment, is sufficient for the exploit. This makes it applicable to a much wider range of environments than template-specific AD CS attacks.

1

Create or control a machine account

Using MachineAccountQuota (default allows 10 per domain user), create a new machine account. The attacker controls this account's attributes.

2

Set dNSHostName to match a Domain Controller

Modify the dNSHostName attribute of the attacker-controlled machine account to match the DNS name of a Domain Controller (e.g., DC01.corp.example.com). This requires write access to the attribute on the attacker's own machine account.

3

Request certificate from AD CS

Enroll a certificate from the Enterprise CA using the Machine or Computer template, authenticated as the attacker-controlled machine account.

4

AD CS issues certificate with DC's SAN

AD CS validates the SAN against dNSHostName (which now matches the DC) and issues a certificate with the DC's DNS name in the SAN. The certificate appears to belong to the Domain Controller.

5

PKINIT authentication yields DC-level TGT

Attacker uses the issued certificate for Kerberos PKINIT authentication. The KDC maps the certificate's SAN to the real DC account and issues a TGT with DC privileges, domain admin equivalent access.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detection

Detection indicators for Certifried exploitation:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Certifried is a symptom of a broader architectural risk: Active Directory Certificate Services is deeply trusted by Kerberos, and any misconfiguration or vulnerability in the certificate issuance process translates directly to privilege escalation in Active Directory. The May 2022 patch addresses this specific flaw, but organizations should treat Certifried as a prompt to conduct a full AD CS security audit using the SpecterOps 'Certified Pre-Owned' framework, the attack surface extends well beyond this single CVE.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2022-26923 (Certifried)?

CVE-2022-26923, named Certifried, is a privilege escalation vulnerability in Active Directory Certificate Services. By manipulating the dNSHostName attribute of a machine account, a domain user can obtain a certificate that AD CS issues as if it were for a Domain Controller. Using this certificate with Kerberos PKINIT authentication yields a TGT with domain admin-equivalent privileges.

Is Active Directory Certificate Services required for this vulnerability?

Yes. CVE-2022-26923 requires AD CS to be deployed in the environment with at least one Enterprise CA issuing certificates via the default Machine or Computer certificate template (or a template with similar settings). Environments without AD CS are not directly vulnerable to this specific attack chain.

How does Certifried differ from the PetitPotam/ESC8 AD CS attacks?

PetitPotam and ESC8 are NTLM relay attacks that coerce a DC to authenticate and relay that authentication to AD CS. Certifried (CVE-2022-26923) is a direct certificate request attack, no relay required. The attacker requests a certificate using their own credentials but manipulates the certificate attributes to impersonate a DC.

What is Kerberos PKINIT and how does it connect to Certifried?

PKINIT (Public Key Cryptography for Initial Authentication) is a Kerberos extension that allows authenticating to the KDC using an X.509 certificate instead of a password. When a user or machine authenticates via PKINIT, the KDC uses the Subject Alternative Name (SAN) in the certificate to identify the corresponding Active Directory account and issue a TGT for that account. Certifried abuses this by obtaining a certificate whose SAN matches a Domain Controller's DNS name. When used for PKINIT authentication, the KDC issues a TGT for the DC account rather than the attacker's account, granting domain admin-equivalent access through a fully legitimate cryptographic authentication exchange.

What is the broader 'Certified Pre-Owned' AD CS attack framework, and how does Certifried relate to it?

Certified Pre-Owned is a research framework published by SpecterOps (Will Schroeder and Lee Christensen) in 2021 that documented 13 AD CS misconfiguration attack paths (ESC1-ESC13) enabling privilege escalation through certificate manipulation. Certifried (CVE-2022-26923) is a separate, vulnerability-specific finding rather than one of the ESC misconfigurations, but it exploits the same underlying trust relationship: Kerberos trusts certificates issued by AD CS. Organizations that conducted AD CS security reviews using the ESC framework may still be vulnerable to Certifried if they did not apply the May 2022 patch, as it is not a misconfiguration but a code-level validation flaw in AD CS itself.

Can reducing MachineAccountQuota to 0 fully prevent Certifried?

Setting MachineAccountQuota to 0 removes the standard prerequisite for Certifried (the ability for domain users to create machine accounts), but it is not a complete mitigation. An attacker who already controls a machine account through other means (phishing a workstation, credential theft, prior compromise) can still modify that machine account's dNSHostName attribute to perform the Certifried attack. The May 2022 patch is the definitive fix; MachineAccountQuota reduction is an important defense-in-depth measure that also prevents noPac and other machine-account-based privilege escalation techniques.

Sources & references

  1. Oliver Lyak (ly4k), Certifried Discovery
  2. Microsoft Security Advisory, CVE-2022-26923
  3. NVD, CVE-2022-26923

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.