Tag
#active-directory
8 posts tagged #active-directory.
-
Analysis · Jun 2, 2026 · Colten Anderson
One CERT says it's exploited, Microsoft says it isn't, and you patch anyway
A pre-auth SYSTEM RCE on every domain controller doesn't need an exploitation rumor to earn the top of your patch queue. The interesting part is why the alarm and the data disagree, and why that disagreement shouldn't change your call.
-
Analysis · May 20, 2026 · Colten Anderson
They read one file off the VPN gateway and left with your whole Active Directory
CVE-2024-24919 is filed as 'information disclosure.' On a Check Point gateway that meant unauthenticated file read, which meant password hashes, which meant ntds.dit within hours. It was a zero-day for a month before disclosure, and patching it doesn't undo the theft.
-
Analysis · May 20, 2026 · Colten Anderson
The 'test connection' button that mails your stored credentials to an attacker
CVE-2018-13374 lets an attacker recover the LDAP bind credentials stored in a FortiGate by pointing its LDAP connectivity test at a rogue server. It's a small bug with a broad lesson: 'test connection' features that transmit stored secrets are a credential-disclosure pattern.
-
Analysis · May 20, 2026 · Colten Anderson
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
Analysis · May 20, 2026 · Colten Anderson
PetitPotam: make a domain controller authenticate to you, relay it, own the domain
CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them. Relay that to Active Directory Certificate Services and you can mint a certificate as the DC. It's an Active Directory configuration problem as much as a patch.
-
Analysis · May 20, 2026 · Colten Anderson
ESXi handed out admin to a group named 'ESX Admins' and never checked who made it
CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate. At least four ransomware crews used it to encrypt hypervisors. ESXi 7.0 isn't getting a patch.
-
Analysis · May 20, 2026 · Colten Anderson
Zerologon: a crypto mistake that hands over the domain in seconds
CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin. CVSS 10, no credentials, seconds to exploit.
-
Field Note · May 15, 2026 · Colten Anderson
Nine PowerShell checks before you trust a Windows host
A short, native-PowerShell audit a Windows admin can run on any host in about ten minutes. The bad answers are unambiguous and the fixes are cheap.