← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2021-42278 · CWE-20 · Disclosed 2021-11-10

Active Directory Domain Services Elevation of Privilege Vulnerability

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

Like letting any badge holder repaint a janitor closet door to look like the CEO’s office

CVE-2021-42278 is the Active Directory sAMAccountName spoofing bug behind *noPac*. On vulnerable domain controllers, a low-privileged authenticated domain user can create or control a computer account, rename it to mimic a domain controller name *without* the trailing $, and abuse AD DS validation gaps to impersonate a DC identity. Microsoft’s hardening applies to Windows Server domain controllers from 2008 SP2 through 2022 unless they had the November 9, 2021 security update or later.

Microsoft’s HIGH label is directionally right, but the real-world story is sharper: this is not an unauthenticated perimeter bug, yet once an attacker has *any* domain user and internal AD reachability, the blast radius is often the whole domain—especially when chained with CVE-2021-42287 as *noPac*. KEV listing, mature PoCs, and repeated ransomware/operator use keep this out of MEDIUM; the authenticated-internal requirement keeps it out of CRITICAL.

"KEV-listed and domain-wide impact, but still a post-authenticated internal AD takeover path—not an internet-edge critical."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a normal domain user

The attacker first needs any authenticated AD principal and line-of-sight to a domain controller over LDAP/Kerberos. In practice this usually comes from phishing, infostealer loot, VPN user creds, or a compromised workstation already joined to the domain.
Conditions required:
  • Authenticated domain user credentials
  • Network access to DC LDAP/Kerberos services
  • AD DS in scope
Where this breaks in practice:
  • This is *post-initial-access* by definition
  • Segmentation, VPN posture controls, or tiering can block DC reachability
  • MFA may block the initial account theft path even though MFA does not stop the exploit itself
Detection/coverage: Traditional vuln scanners do not prove exploitability here; identity telemetry and DC log visibility matter more than network scanning.
STEP 02

Create or seize a machine account

Using built-in AD behavior or tooling like Powermad, addcomputer.py, or the noPac tooling chain, the attacker creates a computer account or reuses one they can modify. This often works because many domains still allow ordinary users to add workstations to the domain or otherwise create computer objects.
Conditions required:
  • Ability to create or modify a computer account
  • Default or delegated machine-join permissions
Where this breaks in practice:
  • Domains with ms-DS-MachineAccountQuota=0 and tight OU delegation break the easy path
  • Pre-staged computer accounts and locked-down join workflows reduce exposure
  • Some environments restrict who can write sAMAccountName or servicePrincipalName
Detection/coverage: Look for machine-account creation (4741) and unusual rename activity around computer objects.
STEP 03

Spoof the DC name with sAMAccountName

The attacker renames the controlled machine account to the name of a real domain controller without the trailing $, using tooling such as renameMachine.py, Set-MachineAccountAttribute, or noPac. CVE-2021-42278 exists because vulnerable DCs failed to enforce the right validation checks on non-admin machine-account changes.
Conditions required:
  • Writable machine account under attacker control
  • Unpatched DCs processing the rename
Where this breaks in practice:
  • Patched DCs reject the invalid computer-account naming pattern
  • Mixed DC patch states can create uneven behavior but fully patched forests stop this step
  • Suspicious renames are high-signal and detectable if DC auditing is enabled
Detection/coverage: Microsoft added Directory-Services-SAM events 16990 and 16991; Elastic/Sigma content also flags 4781 where a computer account loses the trailing $.
STEP 04

Turn spoofing into domain admin via *noPac*

The attacker requests Kerberos tickets with tooling like Rubeus, getTGT.py, getST.py, or Ridter/noPac, then leverages CVE-2021-42287 PAC confusion so the KDC resolves the spoofed name as the real DC account. The result is a service ticket that can be used to impersonate a highly privileged user and pivot to full domain compromise.
Conditions required:
  • CVE-2021-42287 protections absent or incomplete on DCs
  • Kerberos path reaches a vulnerable KDC
  • Spoofed account successfully accepted in prior steps
Where this breaks in practice:
  • Requires the companion weakness in the chain to get the easy DA outcome
  • Post-November 2021 Microsoft hardening plus enforced PAC requestor validation breaks the clean chain
  • RODC/DC patch inconsistency can complicate attacker reliability
Detection/coverage: Coverage exists, but many scanners only report missing KBs. Hunt for the sequence of 4741/4781 plus abnormal 4768/4769, and KDC events 35-38 tied to PAC/requestor issues.
03 · Intelligence Metadata

The supporting signals.

In the wildYes. CISA KEV lists CVE-2021-42278 with date added 2022-04-11. CISA/FBI/partners later called out Black Basta affiliates for exploiting *NoPac* (CVE-2021-42278 + CVE-2021-42287).
PoC availabilityMature and abundant. Public tooling and walkthroughs include Ridter/noPac, ricardojba/Invoke-noPac, iaminzoho/samaccountname-spoofing, Impacket-based flows, and Rubeus tradecraft.
EPSS0.94066 (100th percentile), which is exactly what you expect for an exploit chain that reliably converts a low-priv AD foothold into Tier 0 impact.
KEV statusListed. CISA KEV entry: added 2022-04-11, federal due date 2022-05-02.
CVSS reality checkVendor CVSS is 7.5 with AV:N/AC:H/PR:L/UI:N. The important real-world translation is authenticated internal attacker, low privilege, domain-wide blast radius—not perimeter RCE, but catastrophic once inside.
Affected versionsAD DS on Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, plus affected Server SAC builds, when the DC had not received the 2021-11-09 security update or later.
Fixed versionsApply Windows updates released on or after 2021-11-09 for CVE-2021-42278. For the practical *noPac* chain, Microsoft also required the 2021-11-14 OOB KDC updates for CVE-2021-42287 and later enforcement behavior. NVD minimum build examples: Server 2016 14393.4770, Server 2019 17763.2300, Server 2022 20348.350.
Exposure / scanning signalThis is not an internet-edge bug. Shodan/Censys-style exposure data is low-signal because the reachable population is primarily internal domain controllers. The meaningful exposure metric is whether ordinary users can still create/join computer accounts and whether *all* DCs are uniformly patched.
Disclosure timelinePublicly fixed on 2021-11-09 Patch Tuesday; Microsoft published extra hardening guidance in KB5008102 and KB5008380, with PAC enforcement phases continuing into 2022-10-11.
Who explained it bestMicrosoft documented the hardening; public operator-grade weaponization and detection writeups came quickly from Cloudbrothers, Fortinet, Elastic, and the broader AD offensive community under the name noPac.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (8.3/10)

The decisive factor is that exploitation requires authenticated internal AD access, which makes this a post-compromise privilege-escalation path rather than an internet-edge emergency by default. It stays HIGH because the attacker only needs *low privilege* and the payoff is often full domain compromise, with KEV and real-world operator use removing any argument for downgrading it further.

HIGH Exploitability once an attacker has a normal domain account
HIGH Domain-wide blast radius when chained as *noPac*
MEDIUM How many of your domains still expose machine-account creation or inconsistent DC patch states

Why this verdict

  • KEV and operator use push this up. This is not hypothetical; CISA KEV and later Black Basta reporting show real adversaries value the chain.
  • Only low privilege is needed once inside. Requiring a basic domain user is real friction, but it is weak friction in large enterprises where user-level compromise is common.
  • Blast radius is Tier 0. A successful chain moves from ordinary domain identity to DC impersonation and effectively domain-admin outcomes.
  • Population is broad inside enterprises. Active Directory is ubiquitous, and many estates historically left machine-join permissions or machine account quota in an attacker-friendly state.
  • Not perimeter-reachable keeps it below CRITICAL. The exploit path assumes internal reachability to DCs and an existing authenticated foothold, which compounds downward pressure versus unauthenticated edge bugs.

Why not higher?

This is not an unauthenticated internet-facing RCE. The attacker must already possess a valid domain account and be able to talk to domain controllers, which means the enterprise has already lost an earlier stage of the kill chain. That post-authentication requirement is meaningful enough to keep this out of CRITICAL even with a domain-wide payoff.

Why not lower?

Downgrading this to MEDIUM would ignore the real blast radius and the exploitation record. Once the prerequisites are met, tooling is mature, the chain is fast, and the result is often total AD control. KEV status is the tie-breaker: defenders should treat it as a top-priority HIGH, not routine backlog work.

05 · Compensating Control

What to do — in priority order.

  1. Set machine-account quota to zero — Set ms-DS-MachineAccountQuota to 0 unless you have a documented exception process. This cuts off the easiest self-service computer-account creation path used in *noPac* and, because this CVE has exploitation evidence, do it immediately, within hours as temporary risk reduction.
  2. Remove broad domain-join rights — Audit and restrict Add workstations to domain plus any delegated Create Computer Objects rights on OUs/containers. Limit these to controlled join accounts or automation only; complete the rollback of broad user access immediately, within hours where feasible, and finish exception cleanup no later than the normal HIGH window.
  3. Normalize every DC and RODC to the same patch floor — Mixed patch states are where AD bugs stay exploitable. Make sure all domain controllers, including RODCs and neglected DR/test DCs, are on the post-2021-11-09 floor and not carrying disabled PAC validation states; for a KEV-listed issue, treat this as immediate, within hours triage.
  4. Hunt the rename-and-ticket sequence — Alert on 4741, 4781, 4768, 4769, 16990, 16991, and KDC 35-38, especially a machine account renamed to lose the trailing $ followed by Kerberos ticket activity. Push this monitoring within hours because it is your best safety net while you validate patch uniformity.
  5. Tier and segment DC access — Reduce which user workstations, VPN enclaves, and server tiers can reach LDAP/Kerberos on DCs. This does not fix the flaw, but it raises the cost of converting a random user compromise into a DC-targeting path; implement within 30 days at the latest for the HIGH bucket if not already in place.
What doesn't work
  • WAF or internet edge filtering does not help because the exploit path targets internal AD protocols, not a web app.
  • Admin MFA alone does not solve this; the attacker only needs a low-priv domain user to start the chain.
  • Endpoint AV on a single workstation is not enough because the abuse happens through legitimate LDAP/Kerberos operations against domain controllers.
  • Patching only some DCs is not enough; inconsistent forests are exactly where identity bugs remain exploitable or hard to reason about.
06 · Verification

Crowdsourced verification payload.

Run this on each domain controller from an elevated PowerShell session. Example: powershell -ExecutionPolicy Bypass -File .\Test-CVE-2021-42278.ps1. It needs local admin rights to read OS/update state and works best on the target DC itself, not from an auditor workstation.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-CVE-2021-42278.ps1

# Purpose: Assess whether a Windows host that is a Domain Controller appears patched for CVE-2021-42278

# and whether the practical noPac chain still has obvious CVE-2021-42287 weak-state indicators.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Out-Result {
    param(
        [string]$State,
        [string]$Reason,
        [int]$Code
    )
    Write-Output ("{0}: {1}" -f $State, $Reason)
    exit $Code
}

try {
    $cs = Get-CimInstance Win32_ComputerSystem
    if ($cs.DomainRole -notin 4,5) {
        Out-Result -State 'UNKNOWN' -Reason 'Host is not a domain controller (DomainRole != 4/5).' -Code 2
    }

    $os = Get-CimInstance Win32_OperatingSystem
    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    $caption = $os.Caption
    $build = [int]$cv.CurrentBuildNumber
    $ubr = [int]$cv.UBR

    # Check for obvious noPac weak-state if the legacy CVE-2021-42287 registry knob is still present and disabled.

    $pacValue = $null
    try {
        $kdc = Get-ItemProperty 'HKLM:\System\CurrentControlSet\Services\Kdc' -ErrorAction Stop
        if ($null -ne $kdc.PacRequestorEnforcement) {
            $pacValue = [int]$kdc.PacRequestorEnforcement
        }
    } catch {
        $pacValue = $null
    }

    if ($pacValue -eq 0) {
        Out-Result -State 'VULNERABLE' -Reason 'PacRequestorEnforcement=0 indicates disabled legacy PAC requestor validation state; the noPac chain remains a concern.' -Code 1
    }

    # Precise NVD minimum safe build thresholds where available.

    $thresholds = @(
        @{ Match='Windows Server 2016'; Build=14393; MinUBR=4770 },
        @{ Match='Windows Server 2019'; Build=17763; MinUBR=2300 },
        @{ Match='Windows Server 2022'; Build=20348; MinUBR=350 },
        @{ Match='Windows Server, version 2004'; Build=19041; MinUBR=1348 },
        @{ Match='Windows Server, version 20H2'; Build=19042; MinUBR=1348 }
    )

    foreach ($t in $thresholds) {
        if ($caption -like "*$($t.Match)*") {
            if ($build -gt $t.Build -or ($build -eq $t.Build -and $ubr -ge $t.MinUBR)) {
                Out-Result -State 'PATCHED' -Reason ("{0} build {1}.{2} meets or exceeds minimum known fixed build {3}.{4}." -f $caption,$build,$ubr,$t.Build,$t.MinUBR) -Code 0
            } else {
                Out-Result -State 'VULNERABLE' -Reason ("{0} build {1}.{2} is below minimum known fixed build {3}.{4}." -f $caption,$build,$ubr,$t.Build,$t.MinUBR) -Code 1
            }
        }
    }

    # Legacy server fallback: later cumulative/security rollups also contain the fix, so use installed update recency as a heuristic.

    if ($caption -match 'Windows Server 2012|Windows Server 2008') {
        $cutoff = Get-Date '2021-11-09'
        $hotfix = Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1
        if ($null -eq $hotfix) {
            Out-Result -State 'UNKNOWN' -Reason 'Could not enumerate installed hotfixes on this legacy DC.' -Code 2
        }
        if ($hotfix.InstalledOn -ge $cutoff) {
            Out-Result -State 'PATCHED' -Reason ("Legacy DC latest hotfix {0} was installed on {1:yyyy-MM-dd}; verify all DCs in the forest are similarly updated." -f $hotfix.HotFixID,$hotfix.InstalledOn) -Code 0
        } else {
            Out-Result -State 'VULNERABLE' -Reason ("Legacy DC has no evidence of post-2021-11-09 security servicing; latest hotfix {0} installed {1:yyyy-MM-dd}." -f $hotfix.HotFixID,$hotfix.InstalledOn) -Code 1
        }
    }

    Out-Result -State 'UNKNOWN' -Reason ("Unrecognized server release '{0}' (build {1}.{2}); assess manually against Microsoft/NVD guidance." -f $caption,$build,$ubr) -Code 2
}
catch {
    Out-Result -State 'UNKNOWN' -Reason $_.Exception.Message -Code 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat this as an identity takeover bug with active exploitation, not a routine AD patch. Because it is KEV-listed, override the normal HIGH timing and patch / mitigate immediately, within hours: lock down machine-account creation and broad domain-join rights, verify every DC/RODC is on the post-2021-11-09 patch floor, and hunt for suspicious computer-account renames plus Kerberos anomalies. After the emergency containment pass, drive forest-wide cleanup to completion under the noisgate mitigation SLA exception of *immediately, within hours* for exploited issues, and finish durable patch compliance under the noisgate remediation SLA for HIGH findings of ≤180 days—but in practice, any DC exception should be escalated until closed.

Sources

  1. NVD CVE-2021-42278
  2. Microsoft KB5008102 — AD SAM hardening changes (CVE-2021-42278)
  3. Microsoft KB5008380 — Authentication updates (CVE-2021-42287)
  4. Microsoft Learn — Add workstations to domain
  5. Microsoft Learn — Active Directory domain join permissions
  6. CISA KEV Catalog entry
  7. Cloudbrothers — Exploit samAccountName spoofing with Kerberos
  8. CISA / partners — #StopRansomware: Black Basta
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.