CVE-2026-12249
Awaiting Analysis Awaiting Analysis - Queue
ADSys AD CS Certificate Auto-Enrollment MITM Vulnerability

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Canonical Ltd.

Description
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12249
EUVD
EUVD-2026-38297
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
canonical adsy to 0.16.3 (exc)
canonical adsy 0.16.3
canonical adsys to 0.16.3 (exc)
canonical adsys 0.16.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Canonical ADSys versions through v0.16.2, where the system uses an unencrypted HTTP connection instead of HTTPS to request a CA certificate during Active Directory Certificate Services (AD CS) certificate auto-enrollment.

An unauthenticated attacker on the network can intercept this plaintext HTTP request and supply a malicious Root CA certificate. The system automatically trusts and installs this rogue certificate into its local trust store.

As a result, TLS clients on the affected machine will trust attacker-controlled certificates for any domain, enabling persistent interception and decryption of secure communications.

Impact Analysis

This vulnerability can lead to system-wide trust store poisoning, allowing an attacker to perform man-in-the-middle attacks on TLS connections.

  • An attacker can intercept and decrypt supposedly secure communications.
  • The attacker can impersonate arbitrary domains by presenting rogue certificates trusted by the system.
  • This compromises confidentiality and integrity of data transmitted over TLS on the affected machine.
Detection Guidance

This vulnerability can be detected by monitoring network traffic for plaintext HTTP requests to the Active Directory Certificate Services (AD CS) server during certificate auto-enrollment. Specifically, look for HTTP requests to URLs similar to 'http://<AD_CS_CA_hostname>/CertSrv/mscep/mscep.dll/pkiclient.exe?'.

Commands to detect this might include using network packet capture tools such as tcpdump or Wireshark to filter HTTP traffic to the AD CS CA hostname.

  • tcpdump -i <interface> -A 'tcp port 80 and host <AD_CS_CA_hostname>'
  • tshark -Y 'http.request and ip.addr == <AD_CS_CA_IP>' -T fields -e http.host -e http.request.uri

Additionally, inspecting the system trust store for unexpected or attacker-controlled Root CA certificates can help identify if the system has been compromised.

Mitigation Strategies

The immediate mitigation step is to upgrade the Canonical ADSys software to version v0.16.3 or later, where the vulnerability is fixed by changing the certificate retrieval URL from HTTP to HTTPS.

Until the upgrade is applied, network administrators should ensure that network traffic between the managed Ubuntu hosts and the AD CS server is protected, for example by using network segmentation, VPNs, or other secure tunnels to prevent Man-in-the-Middle attacks.

Additionally, review and remove any suspicious or attacker-controlled Root CA certificates from the local system trust store to prevent trust store poisoning.

Compliance Impact

This vulnerability allows an unauthenticated network attacker to perform a Man-in-the-Middle (MITM) attack by intercepting plaintext HTTP requests for CA certificates, resulting in system-wide trust store poisoning. Consequently, TLS clients on the affected system may accept rogue certificates, enabling persistent interception and decryption of TLS connections.

Such a compromise of TLS security can lead to unauthorized access to sensitive data in transit, which may violate security requirements mandated by common standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity during transmission.

Therefore, this vulnerability negatively impacts compliance with these standards by undermining the trustworthiness of encrypted communications and potentially exposing protected data to attackers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart