EKUwu: Not just another AD CS ESC

This report describes CVE-class AD CS vulnerability (EKUwu / ESC15) in default version 1 certificate templates that allows an attacker with enrollment rights to inject Microsoft Application Policies into issued certificates, overriding EKU restrictions and enabling client authentication, certificate request agent, and code signing certs—facilitating privilege escalation and domain compromise; the issue was reported to MSRC, weaponized in community tools, and has been patched with recommended mitigations such as disabling vulnerable version 1 templates or cloning them to version 2.