An attacker who exploits this vulnerability can obtain long-lived digital certificates that grant persistent access to your Active Directory environment without requiring a password, making the intrusion substantially harder to detect and terminate than a standard credential compromise. Because the certificates remain valid for a year or more after issuance, a successful attack can survive password resets, account lockouts, and other standard incident response actions. Organizations in regulated industries where Active Directory underpins access to sensitive systems face elevated exposure to audit failures, breach notification obligations, and operational disruption if certificate-based persistence goes undetected.
You Are Affected If
You run Active Directory Certificate Services (AD CS) with the Web Enrollment endpoint (/certsrv) enabled
Your environment has NTLM relay mitigations deployed but has not applied the January 2026 Microsoft Patch Tuesday update for CVE-2026-20929
DNS write permissions in your Active Directory-integrated DNS zones are not restricted to designated administrators
Extended Protection for Authentication (EPA) is not enforced on the AD CS Web Enrollment IIS application
Your AD CS CA is accessible from internal network segments where an attacker with initial access could perform DNS manipulation
Board Talking Points
A patched Windows vulnerability allows attackers to silently obtain persistent access credentials in Active Directory environments, bypassing standard relay defenses that many organizations consider a complete control.
IT and security teams should verify the January 2026 Microsoft patch is applied across all Active Directory and certificate infrastructure within the next patch cycle, and audit recently issued certificates for anomalies.
Without remediation, an attacker with network access could establish year-long persistence that survives password resets and standard incident response, significantly increasing the cost and complexity of any future breach.
HIPAA — AD CS-issued certificates used to authenticate access to systems processing electronic protected health information (ePHI) could enable persistent unauthorized access, triggering breach assessment obligations under 45 CFR 164.308(a)(1)
PCI-DSS — Certificate-based persistence in AD environments that govern access to cardholder data systems implicates access control and monitoring requirements under PCI-DSS v4.0 Requirements 7 and 10
