What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain domain administrator privileges. What types of certificates are vulnerable to this type of attack? Certificates created using a version 1 certificate template with Source of subject name set to "Supplied in the request" are potentially vulnerable if the template is not secured according to the best practices published in the Securing Certificate Templates section of Securing PKI: Technical Controls for Securing PKI | Microsoft Learn. How do I know if my PKI environment is vulnerable to this type of attack? Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to "Supplied in the request" and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers. An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions.
Maturity: Exploit
<a href="https://x.com/bandrel/">Justin Bollinger</a> with <a href="https://www.trustedsec.com/">TrustedSec</a>, <a href="https://x.com/slobtresix0/">Scot Berner</a> with <a href="https://www.trustedsec.com/">TrustedSec</a>, <a href="https://x.com/louscicchitano/">Lou Scicchitano</a> with <a href="https://www.trustedsec.com/">TrustedSec</a>