CVE-2026-12249: Improper verification of cryptographic signature
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
AI Analysis
Technical Summary
CVE-2026-12249 affects Canonical ADSys upstream versions through 0.16.2. During AD CS certificate auto-enrollment, the system uses a plaintext HTTP request to retrieve the CA certificate instead of HTTPS. An attacker positioned on the network path can intercept this request and provide a rogue Root CA certificate. The system automatically trusts and installs this certificate into the local trust store, causing system-wide trust store poisoning. As a result, TLS clients relying on the OS trust store will accept attacker-controlled certificates for arbitrary domains, enabling persistent interception and decryption of TLS traffic. The vulnerability is resolved in version 0.16.3.
Potential Impact
An unauthenticated network attacker can perform a Man-in-the-Middle attack to inject a malicious Root CA certificate into the system trust store. This compromises the integrity of TLS connections on the affected system, allowing interception and decryption of supposedly secure communications. The impact includes full confidentiality, integrity, and availability compromise of TLS-protected data on the affected host.
Mitigation Recommendations
Upgrade Canonical ADSys to version 0.16.3 or later, where this issue is resolved. Until the upgrade is applied, avoid using the vulnerable auto-enrollment feature over untrusted networks or ensure network-level protections against MITM attacks. Patch status is not explicitly stated as 'official-fix' in the advisory, but the fix is available in version 0.16.3.
CVE-2026-12249: Improper verification of cryptographic signature
Description
An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py), ADSys utilizes a plaintext HTTP connection (http://) instead of a secure HTTPS connection (https://) to request the CA certificate from the Active Directory Certificate Services server (GetCACert). An unauthenticated network attacker positioned between the managed Ubuntu host and the configured AD CS CA hostname can conduct a Man-in-the-Middle (MITM) attack. By intercepting the plaintext HTTP request, the attacker can supply an arbitrary, attacker-controlled Root CA certificate. Because the system automatically accepts this certificate and registers it into the local system trust store via update-ca-certificates, this results in system-wide trust store poisoning. Consequently, TLS clients utilizing the operating system trust store on the affected machine will accept rogue certificates for arbitrary domains, enabling persistent decryption and interception of subsequent TLS connections. This issue is resolved in version v0.16.3.
CVSS v3.1
Score 8.3high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12249 affects Canonical ADSys upstream versions through 0.16.2. During AD CS certificate auto-enrollment, the system uses a plaintext HTTP request to retrieve the CA certificate instead of HTTPS. An attacker positioned on the network path can intercept this request and provide a rogue Root CA certificate. The system automatically trusts and installs this certificate into the local trust store, causing system-wide trust store poisoning. As a result, TLS clients relying on the OS trust store will accept attacker-controlled certificates for arbitrary domains, enabling persistent interception and decryption of TLS traffic. The vulnerability is resolved in version 0.16.3.
Potential Impact
An unauthenticated network attacker can perform a Man-in-the-Middle attack to inject a malicious Root CA certificate into the system trust store. This compromises the integrity of TLS connections on the affected system, allowing interception and decryption of supposedly secure communications. The impact includes full confidentiality, integrity, and availability compromise of TLS-protected data on the affected host.
Mitigation Recommendations
Upgrade Canonical ADSys to version 0.16.3 or later, where this issue is resolved. Until the upgrade is applied, avoid using the vulnerable auto-enrollment feature over untrusted networks or ensure network-level protections against MITM attacks. Patch status is not explicitly stated as 'official-fix' in the advisory, but the fix is available in version 0.16.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- canonical
- Date Reserved
- 2026-06-15T08:01:59.335Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39735aeed863c81e39621f
Added to database: 06/22/2026, 17:39:38 UTC
Last enriched: 06/22/2026, 18:09:11 UTC
Last updated: 06/23/2026, 00:53:28 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.