CVE-2021-42278

HIGH KEV RANSOMWARE

Active Directory Domain Services - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-42278 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 11, 2022, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including safebuffer, Ridter, ly4k.

AI-analyzed exploit summary This PoC exploits CVE-2021-42278 and CVE-2021-42287 to impersonate a Domain Admin from a standard domain user by manipulating machine account quotas and sAMAccountName spoofing. It uses Impacket and LDAP interactions to achieve privilege escalation.

Description

Active Directory Domain Services Elevation of Privilege Vulnerability

Exploits (8)

nomisec WORKING POC 1,041 stars
by safebuffer · poc
https://github.com/safebuffer/sam-the-admin

This PoC exploits CVE-2021-42278 and CVE-2021-42287 to impersonate a Domain Admin from a standard domain user by manipulating machine account quotas and sAMAccountName spoofing. It uses Impacket and LDAP interactions to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Active Directory Domain Services
Auth required
Prerequisites: Valid domain user credentials · MachineAccountQuota >= 1 · LDAP and SAMR access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 975 stars
by Ridter · remote-auth
https://github.com/Ridter/noPac

This repository contains a Python-based exploit for CVE-2021-42278 and CVE-2021-42287, which allows a standard domain user to impersonate a Domain Admin (DA) by chaining vulnerabilities in Active Directory. The exploit includes functionality for obtaining a Kerberos ticket, executing commands via SMB, and dumping hashes.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory (Windows Server)
Auth required
Prerequisites: Valid domain user credentials · Network access to the domain controller · LDAP/LDAPS connectivity
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 276 stars
by ly4k · remote-auth
https://github.com/ly4k/Pachine

This is a Python implementation of CVE-2021-42278, an Active Directory privilege escalation exploit. It leverages a flaw in the Kerberos S4U2Self process to impersonate domain controllers or other machines, allowing an attacker to escalate privileges to domain admin.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Domain Services
Auth required
Prerequisites: Valid domain credentials with permissions to create machine accounts · Network access to the domain controller
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by waterrr · remote-auth
https://github.com/waterrr/noPac

This repository contains a functional exploit for CVE-2021-42278 (noPac), which leverages a Kerberos authentication bypass to escalate privileges in Active Directory environments. The exploit chains CVE-2021-42278 with CVE-2021-42287 to achieve remote code execution (RCE) or credential dumping via SMB.

Classification
Working Poc 95%
Attack Type
Rce | Lpe | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Domain Services (AD DS)
Auth required
Prerequisites: Valid domain user credentials · LDAP/SMB access to the domain controller · MachineAccountQuota >= 1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 2 stars
by cybersecurityworks553 · poc
https://github.com/cybersecurityworks553/noPac-detection

This repository contains a detection script for CVE-2021-42278 and CVE-2021-42287, which checks for vulnerabilities in Active Directory by analyzing TGT sizes and MachineAccountQuota values. It uses Impacket and LDAP queries to determine potential exploitability.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Services
Auth required
Prerequisites: Valid domain credentials · Access to domain controller IP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by XiaoliChan · remote-auth
https://github.com/XiaoliChan/Invoke-sAMSpoofing

This repository contains a PowerShell script that exploits CVE-2021-42278, a vulnerability in Active Directory allowing privilege escalation via sAMAccountName spoofing. The script uses Rubeus for exploitation and demonstrates the attack by manipulating Kerberos authentication.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Active Directory (Windows Server)
Auth required
Prerequisites: Domain user access · Rubeus tool
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by ricardojba · remote-auth
https://github.com/ricardojba/Invoke-noPac

This repository contains a PowerShell script (Invoke-noPac.ps1) that exploits CVE-2021-42278, a privilege escalation vulnerability in Active Directory domain controllers. The script leverages a flaw in the SAM protocol to impersonate a domain controller and escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Active Directory Domain Controllers (Windows Server)
Auth required
Prerequisites: Domain user credentials · Access to a vulnerable Active Directory environment
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by cube0x0 · remote-auth
https://github.com/cube0x0/noPac

This repository contains a functional exploit for CVE-2021-42278, a vulnerability in Active Directory Domain Controllers that allows domain user to domain admin privilege escalation. The exploit leverages Kerberos ticket manipulation to bypass authentication and gain elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Domain Controllers (pre-patch)
Auth required
Prerequisites: Domain user credentials · Access to a vulnerable Domain Controller
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.9407
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-04-11
VulnCheck KEV 2022-04-11
InTheWild.io 2022-04-06
ENISA EUVD EUVD-2021-29254
Ransomware Use Confirmed
Status published
Products (9)
microsoft/windows_server_2004 < 10.0.19041.1348
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016 < 10.0.14393.4770
microsoft/windows_server_2019 < 10.0.17763.2300
microsoft/windows_server_2022 < 10.0.20348.350
microsoft/windows_server_20h2 < 10.0.19042.1348
Published Nov 10, 2021
KEV Added Apr 11, 2022
Tracked Since Feb 18, 2026