CVE-2022-26923
Published: 10 May 2022
Summary
CVE-2022-26923 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-17 (Public Key Infrastructure Certificates).
Deeper analysis
Active Directory Domain Services contains an elevation of privilege vulnerability tracked as CVE-2022-26923 and assigned CWE-295. The flaw affects domain controllers running the Active Directory Domain Services role and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low attack complexity, and low required privileges.
An authenticated attacker with low-privileged domain credentials can exploit the weakness over the network without user interaction to obtain high impact on confidentiality, integrity, and availability, enabling full domain compromise through privilege escalation.
Microsoft security updates and advisory guidance address the issue, while CISA includes the CVE in its catalog of known exploited vulnerabilities, confirming that patches have been released and should be applied promptly.
The associated EPSS score remains high, with a current value of 0.9160 and a peak of 0.9175, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31469
Vulnerability details
Active Directory Domain Services Elevation of Privilege Vulnerability
- CWE(s)
- KEV Date Added
- 18 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access decisions so that a low-privileged account cannot obtain domain-admin rights through the certificate-validation flaw.
Requires proper issuance and validation of PKI certificates, directly mitigating the CWE-295 improper certificate validation that enables the elevation.
Mandates timely application of the vendor patch that closes the Active Directory certificate-validation vulnerability.