Proposing ESC17

[NeffIsBack]

Earlier this year, @Coontzy1 from TrustedSec published a blog post in which he detailed how an attacker could abuse a misconfigured ADCS template to spoof a WSUS server and perform an NTLM relay attack.
@shaaati and I have extended this research by exploring how to leverage such templates to gain code execution on HTTPS-enabled WSUS clients: https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/

In short, with a template that allows to supply the SAN and allows server authentication you can:

• Request a valid certificate for a WSUS server
• Intercept WSUS client traffic (e.g., via ARP spoofing on the local network)
• Serve a malicious Windows Update which is executed with local admin privs

This is an extension of the WSUS attack known since 2015 (but so far only worked against plaintext connections).

For the following reasons, we suggest to assign a new ESC number (ESC17) to such templates (allows Server Authentication, allows to supply SAN) in order to systematically identify and track these risks in Active Directory:

• The prerequisits are very similar to ESC1 and an incomplete mitigation of ESC1 could lead to the attack described above.
• Even though the attack does not exclusively target ADCS but merely uses it is a stepping stone, it will---if successful---result in an “escalation of privileges” based on a misconfiguration in an ADCS template.
• If a TLS-channel is established using a trusted certificate from an internal PKI, clients should be able to trust its authenticity. The possibility to impersonate arbitrary DNS names breaks this assumption and is therefore a (potentially security-relevant) misconfiguration of a certificate template.
  • For the particular case of WSUS, this means that the above-mentioned attack cannot be mitigated by configuring WSUS more securely but only by securing the vulnerable certificate template in ADCS.

If this PR is accepted, the wiki must be updated as well. @ly4k we are happy to help with that.

Everyone, feel free to discuss what you think about this approach. We are open to suggestions.

[NeffIsBack]

@ly4k we have finally finished the wiki entry, which is currently available at: https://github.com/NeffIsBack/esc17-wiki

I don't think there is a way to PR to wikis so you probably have to either copy&paste the content or fetch&merge it into your local repository. If you need help with that or anything else hit us up.