ESC2

A template is vulnerable to ESC2 when a certificate template allows the requested certificate to be used for any purpose (such as the exploit for ESC3).

A certificate template with the following configuration is vulnerable to ESC2:

• The Enterprise CA grants low-privileged users enrollment rights.

• Manager approval is disabled.

• No authorized signatures are required.

• An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.

• The certificate template defines the Any Purpose EKU or no EKU.