Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-42278

CVE-2021-42278: Windows Server Privilege Escalation Flaw

CVE-2021-42278 is a privilege escalation vulnerability in Active Directory Domain Services on Windows Server 2004 that allows attackers to gain elevated privileges. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2021-42278 Overview

CVE-2021-42278 is an elevation of privilege vulnerability in Microsoft Active Directory Domain Services (AD DS). The flaw allows an authenticated domain user to modify the sAMAccountName attribute of a computer account so it impersonates a domain controller. When chained with CVE-2021-42287, this technique is publicly known as the noPac or sAMAccountName spoofing attack and produces a full domain compromise from a standard user account.

The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and has been observed in attacks against enterprise Active Directory environments.

Critical Impact

A standard authenticated domain user can escalate to Domain Administrator by abusing weak validation of the sAMAccountName attribute on computer accounts.

Affected Products

  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2
  • Microsoft Windows Server 2016, 2019, 2022
  • Microsoft Windows Server version 2004 and 20H2

Discovery Timeline

  • 2021-11-10 - CVE-2021-42278 published to NVD by Microsoft
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2021-42278

Vulnerability Analysis

The vulnerability exists because Active Directory does not adequately validate the sAMAccountName attribute of computer objects. By default, any authenticated domain user can create up to ten computer accounts in the domain through the MS-DS-Machine-Account-Quota attribute. An attacker creates a computer account, then renames its sAMAccountName to match the name of a domain controller without the trailing $ character.

After the rename, the attacker requests a Kerberos Ticket Granting Ticket (TGT) for the spoofed account. The Key Distribution Center (KDC) issues a TGT under the domain controller identity. The attacker then renames the computer account back to its original name. Because the original TGT remains valid, follow-on Service Ticket requests via S4U2self return a ticket presenting the attacker as a high-privileged user on the domain controller.

When paired with CVE-2021-42287, this primitive yields a Kerberos service ticket impersonating a Domain Admin against the affected DC, enabling DCSync, remote code execution, and full forest compromise.

Root Cause

The root cause is improper input validation on the sAMAccountName attribute during computer account modification (CWE-noinfo, mapped to Improper Access Control and Authentication Bypass). The directory service permits standard users to assign a computer name identical to an existing domain controller principal, breaking the uniqueness assumption Kerberos relies on for principal resolution.

Attack Vector

The attack requires network access and valid domain credentials, with no user interaction. Exploitation typically uses tools such as noPac.py, Rubeus, or Impacket's addcomputer.py and renameMachine.py. The vulnerability can be exploited remotely against any reachable domain controller, and the resulting tickets grant complete control of the domain.

No verified exploit code is reproduced here. Refer to the Microsoft Security Advisory for CVE-2021-42278 and the CISA Known Exploited Vulnerabilities entry for vendor-supplied technical detail.

Detection Methods for CVE-2021-42278

Indicators of Compromise

  • Event ID 4741 (computer account created) followed by Event ID 4742 (computer account changed) where the new sAMAccountName matches an existing domain controller name without the $ suffix.
  • Event ID 4624 logon events on domain controllers showing service tickets issued to anomalous machine principals.
  • Kerberos Event ID 4769 service ticket requests where the target account name lacks the $ suffix expected for machine accounts.
  • Sudden spikes in computer account creation by non-privileged users approaching the MS-DS-Machine-Account-Quota limit.

Detection Strategies

  • Correlate computer account creation, rename, and Kerberos TGT requests within short time windows against the same principal.
  • Alert on any sAMAccountName value on a computer object that matches an existing domain controller's hostname.
  • Hunt for Kerberos PAC validation anomalies between TGT and TGS requests, which is the signal CVE-2021-42287 introduces when chained.
  • Monitor Active Directory replication and DCSync requests originating from newly created or renamed machine accounts.

Monitoring Recommendations

  • Forward Windows Security logs from all domain controllers to a centralized SIEM or data lake with retention of at least 90 days.
  • Enable advanced Kerberos service ticket auditing (Event IDs 4768, 4769, 4770) on every domain controller.
  • Baseline normal computer account creation patterns and trigger on deviations by user account or source workstation.

How to Mitigate CVE-2021-42278

Immediate Actions Required

  • Apply the November 2021 Microsoft security updates to every domain controller in the forest, prioritizing internet-facing and tier-0 systems.
  • Set the MS-DS-Machine-Account-Quota attribute to 0 for non-privileged users to remove the ability to create computer accounts.
  • Audit existing computer accounts for sAMAccountName values that match domain controller hostnames and remove or rename them.
  • Rotate the krbtgt account password twice if compromise is suspected, following Microsoft's reset guidance.

Patch Information

Microsoft released patches for CVE-2021-42278 on November 9, 2021 as part of the monthly Patch Tuesday update cycle. Refer to the Microsoft Security Advisory for CVE-2021-42278 for the cumulative update KB numbers that apply to each Windows Server version. Both CVE-2021-42278 and CVE-2021-42287 must be patched together; applying only one does not block the noPac attack chain.

Workarounds

  • Restrict computer account creation by setting MS-DS-Machine-Account-Quota to 0 and delegating account creation to a dedicated administrative group.
  • Apply the Microsoft script PowerShell guidance to identify accounts with suspicious sAMAccountName values.
  • Restrict Kerberos delegation and disable unconstrained delegation on domain controllers.
bash
# Set machine account quota to 0 for authenticated users
Set-ADDomain -Identity (Get-ADDomain) -Replace @{"ms-DS-MachineAccountQuota"="0"}

# Audit computer accounts for sAMAccountName collisions with DCs
Get-ADComputer -Filter * -Properties sAMAccountName |
  Where-Object { $_.sAMAccountName -notlike "*$" } |
  Select-Object Name, sAMAccountName, whenCreated

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne