Skip to content


Active Directory Certificate Services Domain Escalation via Vulnerable PKI AD Object Access Controls

Base Score 7.5


Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. Several AD objects can have a security impact on the entire Enterprise AD CS system. Possibilities include the CA server's AD computer object, the CA server's RPC/DCOM server, or any descendant AD object or container in the container CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC=. If a low-privileged attacker can gain control over any of these objects they can likely compromise the entire PKI system.


Compromise of enterprise PKI System, leading to Domain Privilege Escalation.