Back to Blog
VulnerabilitiesJune 10, 202610 min read

ADCS ESC4: Certificate Template Write Privilege Escalation — Detection and Remediation

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

ESC4 is an ADCS attack path where a low-privileged user with Write or WriteDACL permissions on a certificate template can modify the template to introduce ESC1 conditions — enabling enrollment of certificates usable for domain administrator authentication. This is a configuration vulnerability, not a software bug. It exists in most enterprise ADCS deployments and requires no patch — only an ACL audit.

What Is ESC4?

ESC4 exploits misconfigured Write permissions on Active Directory certificate template objects. When a low-privileged user or group has Write, WriteDACL, or WriteOwner permissions on a template object in Active Directory, they can modify the template's attributes — including the Subject Name flags, Extended Key Usages, and enrollment permissions.

An attacker with these permissions can modify a template to allow enrollee-supplied Subject Names and grant Domain Users enrollment rights, effectively creating ESC1 conditions on demand. They can then enroll a certificate as any domain principal, including Domain Admins, and use it for Kerberos PKINIT authentication.

Who Is Affected

ESC4 conditions exist when any of the following are true on a certificate template:

  • Domain Users, Authenticated Users, or Domain Computers has Write, WriteDACL, or WriteOwner on the template object in AD.
  • A service account or help desk account used for enrollment operations has been granted Write permissions on templates.
  • The template was created by copying an existing template without reviewing the inherited ACL.
  • Third-party PKI management tools have been granted broad Write access to template objects.

Detection

Monitor for the following indicators of ESC4 exploitation:

  • Event ID 4899 — A Certificate Services template was changed. Any unexpected template modification should be investigated immediately.
  • Event ID 4900 — Certificate Services template security was updated. Correlate with the modifying account.
  • AD audit logs — unexpected ACL changes on certificate template objects in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration.
  • Run PSPKIAudit or Certify to enumerate templates with non-admin Write permissions.

Remediation

Audit all certificate templates for non-admin Write permissions. The following PowerShell snippet uses PSPKIAudit to enumerate vulnerable templates:

# Install PSPKIAudit
Install-Module -Name PSPKIAudit

# Find templates with ESC4 conditions
Get-PKIAuditTemplates | Where-Object { $_.ESC4 -eq $true } | Select-Object Name, ESC4, ACL
Why It Matters

ESC4 is a configuration vulnerability that exists silently in most enterprise ADCS deployments. It requires no exploit code — just knowledge of which templates have misconfigured ACLs. An attacker with a domain foothold and access to Certify or Certipy can enumerate ESC4 conditions in seconds. The fix is an ACL audit, not a patch.

Recommended Actions
  1. 1Run PSPKIAudit or Certify to enumerate all certificate templates with non-admin Write permissions.
  2. 2Remove Write/WriteDACL/WriteOwner permissions from non-admin principals on all certificate templates.
  3. 3Enable Manager Approval on sensitive templates as a defense-in-depth measure.
  4. 4Enable ADCS audit logging: "certutil -setreg CA\AuditFilter 127".
  5. 5Monitor Event ID 4899 and 4900 for unexpected template modifications.
InsecurePlanet Take

ESC4 is the silent killer in enterprise PKI. It requires no software vulnerability — just a misconfigured ACL that was probably set years ago and never reviewed. Run PSPKIAudit today. If you find ESC4 conditions, treat it as a critical finding and remediate immediately.

VulnerabilitiesADCSESC4Privilege Escalation
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon