CVE Catalog

CVE-2026-12249

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile — higher than 2% of all known CVEs

Summary

An issue was discovered in Canonical ADSys versions up to v0.16.2, involving the use of an unencrypted HTTP connection to request the CA certificate from the AD CS server. An attacker can perform a Man-in-the-Middle attack, leading to the installation of a malicious certificate in the system's local trust store.

Risk Assessment

The organization is exposed to MITM attacks that can lead to the interception and decryption of TLS traffic, jeopardizing data confidentiality and communication integrity.

Recommendation

It is recommended to upgrade to version v0.16.3 to mitigate this vulnerability and ensure secure HTTPS connections when requesting certificates.

Original NVD description (English source)

An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS