CVE-2024-49019

HIGH

Active Directory Certificate Services - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-49019. PoCs published by rayngnpc, including Metasploit module lib/msf/core/exploit/remote/cert_request.

AI-analyzed exploit summary This repository provides a detailed detection guide for CVE-2024-49019, focusing on configuring Windows Server 2022 and Wazuh to monitor and detect exploitation attempts related to Active Directory Certificate Services (AD CS) attacks. It includes step-by-step instructions for audit policy configuration, log forwarding, and custom Wazuh rule creation.

Description

Active Directory Certificate Services Elevation of Privilege Vulnerability

Exploits (3)

nomisec WRITEUP 3 stars
by rayngnpc · poc
https://github.com/rayngnpc/CVE-2024-49019-rayng

This repository provides a detailed detection guide for CVE-2024-49019, focusing on configuring Windows Server 2022 and Wazuh to monitor and detect exploitation attempts related to Active Directory Certificate Services (AD CS) attacks. It includes step-by-step instructions for audit policy configuration, log forwarding, and custom Wazuh rule creation.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Active Directory Certificate Services (AD CS)
No auth needed
Prerequisites: Windows Server 2022 · Wazuh installation · Access to Group Policy Management
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/cert_request.rb

This Metasploit module exploits CVE-2024-49019 (ESC15) by crafting malicious certificate signing requests (CSRs) for Active Directory Certificate Services (ADCS). It supports various attack vectors including SAN manipulation, UPN/SPN spoofing, and on-behalf-of requests to escalate privileges.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Certificate Services (ADCS)
No auth needed
Prerequisites: Access to ADCS enrollment endpoint · Valid certificate template vulnerable to ESC15
devstral-2 · analyzed Apr 14, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/ms_icpr.rb

This Metasploit module exploits CVE-2024-49019 by interacting with Microsoft Active Directory Certificate Services (AD CS) to request certificates with crafted attributes, potentially enabling privilege escalation or authentication bypass.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Active Directory Certificate Services (AD CS)
Auth required
Prerequisites: SMB access to target · Valid credentials for authentication · AD CS installed on target
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0470
EPSS Percentile 89.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-1390
Status published
Products (9)
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016 < 10.0.14393.7515
microsoft/windows_server_2019 < 10.0.17763.6532
microsoft/windows_server_2022 < 10.0.20348.2849
microsoft/windows_server_2022_23h2 < 10.0.25398.1251
microsoft/windows_server_2025 < 10.0.26100.2314
Published Nov 12, 2024
Tracked Since Feb 18, 2026