Ubuntu's AD Tool ADSys Trusts Forged Certificates: CVE-2026-12249 (CVSS 9.0) β Update Now
ADSys, the official tool for managing Ubuntu under Windows Active Directory, has a critical flaw (CVSS 9.0, CVE-2026-12249). Because certificate auto-enrollment ran over plain HTTP, an attacker on the network can make endpoints trust forged certificates, enabling interception and impersonation. Fixes are out for each Ubuntu release; update now.
Makoto Horikawa
Backend Engineer / AWS / Django
ADSys, the official tool for managing Ubuntu under Windows Active Directory, has a critical flaw (CVSS 9.0, CVE-2026-12249). Because certificate auto-enrollment ran over plain HTTP, an attacker on the network can make endpoints trust forged certificates, enabling interception and impersonation. Fixes are out for each Ubuntu release; update now.
ADSys, the official tool for managing Ubuntu machines under Windows "Active Directory" (the system that centrally manages users and devices in an organization), has a high-severity flaw. It is tracked as CVE-2026-12249, with a CVSS score of 9.0 (Critical). Ubuntu's security record was published on June 22, 2026. The tool itself is open source.
The problem: ADSys fetched certificates over unencrypted plain "HTTP." As a result, an attacker who can sit in the network path (a man-in-the-middle) can inject forged responses into the exchange with Active Directory Certificate Services (AD CS) and make the machine trust an attacker-controlled "root Certificate Authority (CA) certificate." That poisons the machine's trust store β the very basis for deciding what is genuine. Affected versions are ADSys 0.13.0β0.16.2, fixed in 0.16.3, with fixes also shipped to each Ubuntu LTS.
Affected versions and patch status (by distribution)
| Target | Status | Fixed version | Action |
|---|---|---|---|
| ADSys upstream | 0.13.0β0.16.2 vulnerable | 0.16.3 | Upgrade to 0.16.3+ |
| Ubuntu 24.04 LTS | Fixed | 0.16.3~24.04.2 | Update via apt |
| Ubuntu 22.04 LTS | Fixed | 0.16.3~22.04.2 | Update via apt |
| Ubuntu 20.04 LTS (ESM) | Fixed | 0.9.2~20.04.2 ubuntu0.1+esm2 | Apply via ESM |
Who is at risk, and what is the damage
The opportunity goes to an attacker positioned to intercept traffic on the internal network (a man-in-the-middle). In practice that means an attacker who has already breached the internal network, a compromised internal router or switch, or a malicious insider. It is not "anyone from across the internet," but it is a powerful way to expand damage once someone is inside.
Such an attacker catches the moment ADSys fetches a certificate over plain HTTP and makes the machine trust a forged root CA certificate as genuine. A root CA certificate is the topmost basis for deciding "this party is real," so trusting a fake one hands the root of the machine's trust decisions to the attacker.
A poisoned machine then mistakes the attacker's fake servers and websites for legitimate ones. Traffic that should be encrypted can be intercepted or altered, and credentials can be harvested through convincing fake screens. Because ADSys manages Ubuntu endpoints centrally via Active Directory, the same configuration is pushed to many machines β so a single man-in-the-middle attack could poison a whole fleet of AD-managed Ubuntu endpoints at once. That is why the update below is urgent.
What is happening, technically
It is classified as CWE-348 (Use of Less Trusted Source). Like on Windows, ADSys can distribute certificates to Ubuntu endpoints through certificate auto-enrollment. Because that enrollment exchange ran over unencrypted HTTP, there was room to swap the contents in transit.
Such an exchange should encrypt the traffic and verify the other party first. Over plain HTTP, the man-in-the-middle only has to inject a response returning an attacker-controlled root CA certificate to get it loaded into the endpoint's trust store. The fix revises how this enrollment traffic is handled. No user interaction is needed; the condition is whether the attacker can get into the network path.
Confirmed vs. still unknown
β Confirmed facts
? Not yet confirmed
- ?Whether it has been exploited in the wild β not on CISA KEV at the time of writing
- ?Whether a public PoC exists β no reliable public information confirmed at the time of writing
What to do now
Updating is the top priority. On Ubuntu, apply the security updates that have shipped. On 24.04 and 22.04, the usual sudo apt update && sudo apt upgrade brings adsys up to date. Ubuntu 20.04 LTS is past standard support, so its fix comes via Ubuntu Pro / ESM (Expanded Security Maintenance). If you installed ADSys from upstream directly, move to 0.16.3 or later.
To limit exposure until you patch, you can temporarily disable certificate auto-enrollment, restrict management traffic to a trusted network segment, and review controls that detect or prevent internal MITM (traffic encryption and device authentication). Since ADSys is a base that manages many Ubuntu endpoints, start by identifying which endpoints use ADSys and certificate auto-enrollment, and patch those first.
Summary
CVE-2026-12249 is a CVSS 9.0 flaw in ADSys, the official tool for managing Ubuntu under Active Directory: because certificate auto-enrollment ran over plain HTTP, a man-in-the-middle can make a machine trust a forged root certificate. Affected versions are ADSys 0.13.0β0.16.2, fixed in 0.16.3 and in each Ubuntu LTS update.
It is the kind of hole that enables lateral expansion once someone is inside, and it endangers AD-managed Ubuntu endpoints as a group. Update first, then confirm that certificate-related traffic is encrypted.