CVE-2026-54121 – Active Directory Certificate Services Elevation of Privilege Vulnerability
“When attackers can turn a trusted certificate into administrator access, the foundation of identity security is put at risk.”
An improper authorization vulnerability in Active Directory Certificate Services (AD CS) allows an authenticated attacker to elevate privileges over the network. By exploiting the flaw, an attacker with low privileges could obtain a certificate that enables authentication as another machine. If a Domain Controller account is targeted, the attacker could gain administrator-level capabilities within Active Directory. Microsoft has released security updates for affected Windows client and server platforms.
CVSS Score: 8.8
SEVERITY: Critical
THREAT:
This vulnerability affects Active Directory Certificate Services by allowing an authenticated attacker with low privileges to exploit improper authorization and gain elevated permissions. By manipulating machine account attributes, an attacker can obtain a certificate that enables authentication using PKINIT. If the attack targets a Domain Controller account, it could lead to administrator privileges and the ability to perform privileged Active Directory operations across the domain.
EXPLOITS:
At the time of publication, the vulnerability has not been publicly disclosed and Microsoft has not detected active exploitation. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the provided information does not confirm the existence of publicly available proof-of-concept exploit code.
TECHNICAL SUMMARY:
The vulnerability is caused by improper authorization (CWE-285) in Active Directory Certificate Services. An authenticated attacker with low privileges can manipulate attributes associated with a machine account and request a certificate that permits authentication as that machine through PKINIT. If a Domain Controller account is successfully impersonated, the attacker can perform highly privileged Active Directory operations, resulting in severe impacts to confidentiality, integrity, and availability.
EXPLOITABILITY:
Affected products include Windows 10 Version 1607, Windows 10 Version 1809, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025, including the listed Server Core installations. Exploitation requires network access and a low-privileged authenticated account but does not require user interaction.
BUSINESS IMPACT:
Active Directory Certificate Services is a critical component of enterprise identity infrastructure. Successful exploitation could allow attackers to impersonate trusted systems, obtain administrator privileges, compromise Active Directory, access sensitive business resources, deploy malware, and move laterally throughout the environment. A compromise of a Domain Controller account could have enterprise-wide consequences, affecting authentication and trust across the organization.
WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends deploying the appropriate security updates to all affected systems.
URGENCY:
This vulnerability should be deployed urgently because it is rated Critical with a CVSS v3.1 base score of 8.8. Although Microsoft has not observed active exploitation, the vulnerability enables network-based privilege escalation and could allow attackers to obtain administrator privileges within Active Directory. Organizations should prioritize systems hosting Active Directory Certificate Services due to their critical role in enterprise authentication.
Key Details
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-285