The LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not examine Certificate Revocation Lists (CRLs), which allows remote authenticated users to bypass intended certificate restrictions and access Active Directory resources by leveraging a revoked X.509 certificate for a domain account, aka "LDAPS Authentication Bypass Vulnerability."
Threat-Mapped Scoring
Score: 3.25
Priority: P2 - Serious (High)
S1 – Steal Customer Account Information
S9 – Sabotage of System/App (+0.25 bonus)
EPSS
Score: 0.07075Percentile:
0.91073
CVSS Scoring
CVSS v2 Score: 9.0
Severity:
Mapped CWE(s)
CWE-287
: Improper Authentication
All CAPEC(s)
CAPEC-114 : Authentication Abuse
CAPEC-115 : Authentication Bypass
CAPEC-151 : Identity Spoofing
CAPEC-194 : Fake the Source of Data
CAPEC-22 : Exploiting Trust in Client
CAPEC-57 : Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
CAPEC-593 : Session Hijacking
CAPEC-633 : Token Impersonation
CAPEC-650 : Upload a Web Shell to a Web Server
CAPEC-94 : Adversary in the Middle (AiTM)
CAPEC(s) with Mapped TTPs
CAPEC-114 : Authentication Abuse
Mapped TTPs:
T1548
: Abuse Elevation Control Mechanism
CAPEC-115 : Authentication Bypass
Mapped TTPs:
T1548
: Abuse Elevation Control Mechanism
CAPEC-57 : Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
Mapped TTPs:
CAPEC-593 : Session Hijacking
Mapped TTPs:
T1185
: Browser Session Hijacking
T1550.001
: Application Access Token
T1563
: Remote Service Session Hijacking
CAPEC-633 : Token Impersonation
Mapped TTPs:
T1134
: Access Token Manipulation
CAPEC-650 : Upload a Web Shell to a Web Server
Mapped TTPs:
CAPEC-94 : Adversary in the Middle (AiTM)
Mapped TTPs:
T1557
: Adversary-in-the-Middle
Mapped ATT&CK TTPs
T1548
: Abuse Elevation Control Mechanism
Kill Chain: privilege-escalation
T1548
: Abuse Elevation Control Mechanism
Kill Chain: privilege-escalation
T1040
: Network Sniffing
Kill Chain: credential-access
T1185
: Browser Session Hijacking
Kill Chain: collection
T1550.001
: Application Access Token
Kill Chain: defense-evasion
T1563
: Remote Service Session Hijacking
Kill Chain: lateral-movement
T1134
: Access Token Manipulation
Kill Chain: defense-evasion
T1505.003
: Web Shell
Kill Chain: persistence
T1557
: Adversary-in-the-Middle
Kill Chain: credential-access
Malware
APTs Threat Group Associations
Campaigns
Operation Wocao APT41 DUST ArcaneDoor SolarWinds Compromise Operation CuckooBees 2015 Ukraine Electric Power Attack Versa Director Zero Day Exploitation Leviathan Australian Intrusions C0032 HomeLand Justice C0017 Cutting Edge 2022 Ukraine Electric Power Attack FrostyGoop Incident
Affected Products
cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_7:-:sp1:x86:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x32:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:r2:*:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me