When Vendor Documentation Creates Critical Attack Paths

This research identifies that numerous major vendors' documentation guides administrators to create insecure AD CS certificate templates (ESC1/ESC3/ESC4), enabling low-privileged or authenticated domain principals to obtain certificates that can be abused to impersonate principals, request TGTs, and compromise domains; the report catalogs affected products and vendors, demonstrates abuse with Certify.exe, presents responsible-disclosure timelines, and provides remediation recommendations for vendors and affected organizations.