Which critical AD vulnerabilities are actually exploitable in your environment, validated continuously.
ADscan tests your Active Directory for ZeroLogon, PetitPotam, PrintNightmare and other critical vulnerabilities and misconfigurations, distinguishing what is genuinely exploitable from what a scanner merely detects as present, with compliance evidence ready for DORA and ENS.
AD vulnerability validation is the practice of confirming that a known vulnerability or misconfiguration is genuinely exploitable in your specific Active Directory environment, rather than simply confirming the patch is absent. ADscan tests each vulnerability in context, validates the exploitation path, and flags whether it leads to Domain Admin, so you prioritise based on real risk.
67%
Vulnerability scanners report CVE presence based on patch level. They do not confirm whether your specific network segmentation, GPO hardening, SMB signing configuration, or existing mitigations actually prevent exploitation. ZeroLogon was rated CVSS 10.0 but many environments had partial mitigations that made the attack fail; PetitPotam requires specific NTLM relay conditions that depend on your configuration. ADscan validates exploitability in your environment, not patch level in isolation, so you remediate what is actually dangerous rather than chasing phantom critical findings.
Share of critical AD CVEs that scanners report as present but are not actually exploitable due to environment-specific mitigations · Ponemon, 2024
- 01
Enumerate patch state and configuration
Collect Windows version, patch level, SMB signing configuration, LDAP signing and channel binding, NTLM settings, AS-REP target accounts and coercion service state from every Domain Controller and relevant host.
- 02
Test each vulnerability in context
For each candidate CVE or misconfiguration, evaluate the full exploitation preconditions — not just the patch — against your actual environment. No test proceeds unless the preconditions are met.
- 03
Validate ZeroLogon exploitability
Confirm the Netlogon service on each DC is both unpatched and reachable on the network. Flag each vulnerable DC as validated exploitable. The exploit itself is policy-blocked by default to prevent credential disruption on production DCs.
- 04
Detect and validate coercion conditions
Probe each DC and server for PetitPotam (MS-EFSRPC) and other coercion surfaces. Flag instances where coercion would succeed based on configuration, without triggering it automatically. Map each coercion finding to the relay chain it enables (RBCD, ADCS ESC8, NTLM relay to LDAP).
- 05
Validate misconfigurations end to end
SMB signing absent, LLMNR enabled, weak Kerberos encryption, stale domain functional level, and other misconfigurations are not just detected but tested: the tool confirms exploitation is feasible in your specific configuration.
- 06
Map to compliance and remediate
Tie each validated vulnerability to DORA, NIS2 and ENS, provide the patch or configuration fix, and distinguish findings that require emergency remediation from those that are lower-priority given your existing controls.
ZeroLogon (CVE-2020-1472) validation
ADscan checks every Domain Controller for Netlogon patch status and network reachability, validates that the exploitation preconditions are met, and flags the DC as exploitable. The Zerologon exploit itself is policy-blocked by default to prevent production credential disruption.
PetitPotam and coercion surface detection
ADscan probes for MS-EFSRPC and related coercion surfaces (PrintSpooler, WebDAV, DFSNM) on Domain Controllers and servers. Where coercion conditions are met, the finding is flagged with the downstream relay chains it enables, without triggering the coercion automatically.
NoPac (CVE-2021-42278 / CVE-2021-42287) validation
Where the domain functional level and machine account quota allow sAMAccountName spoofing, ADscan validates the exploitation path and confirms whether Domain Admin impersonation is achievable via the Kerberos PAC confusion chain.
SMB signing and NTLM relay surface
ADscan identifies hosts with SMB signing absent or not enforced, maps the relay target network, and validates whether NTLM relay to LDAP (for RBCD or privilege escalation) is feasible given your LDAP signing and channel binding settings.
Exploitability verdict, not just presence
For every tested vulnerability, the report delivers a binary exploitability verdict: exploitable in your environment, or present but not exploitable given your current configuration. No phantom criticals, no false urgency from patch-level-only checks.
Detection vs exploitation, explicitly stated
ADscan is explicit about the difference between what it validates by testing exploitability and what it detects and flags without auto-executing. Dangerous CVEs whose exploitation would cause production disruption are validated, not auto-exploited, and the report says so.
Mapped to the control your supervisor asks about.
Unpatched critical AD vulnerabilities are direct failures under DORA Article 9.4 (protection and prevention of ICT systems) and Article 24 (threat-led penetration testing and ICT testing), NIS2 Article 21 vulnerability management requirements, ENS Alto OP.EXP.2 and MP.IF.1 controls, and ISO 27001:2022 Annex A.8.8 (management of technical vulnerabilities). Each validated finding is paired with the specific control article and a plain-language summary of the compliance risk, ready to hand to an auditor.
The open-source ADscan engine on the command line tests for ZeroLogon, PetitPotam, coercion surfaces, NoPac, SMB relay conditions and critical misconfigurations, delivering an exploitability verdict for each. Free on GitHub, no license required.
Adds the board-ready PDF report with each validated finding mapped to DORA, NIS2 and ENS, MITRE ATT&CK references, Windows event IDs for detection, and a prioritised remediation schedule. Free in beta for consultancies and MSSPs in exchange for feedback. The Enterprise platform adds scheduled re-validation so new vulnerabilities introduced by configuration changes are caught continuously.
Explore the rest of the platform.
In regulated environments where ADscan has run a full vulnerability validation pass, at least one critical CVE was present but not exploitable due to mitigations the scanner had not modelled — and at least one finding the scanner rated moderate was validated as a live path to Domain Admin.
Questions, answered.
What is ZeroLogon and how does ADscan validate it?
ZeroLogon (CVE-2020-1472) is a cryptographic flaw in the Netlogon Remote Protocol that allows an unauthenticated attacker to set the computer password of a Domain Controller to an empty string, immediately granting Domain Admin rights. It was rated CVSS 10.0. ADscan validates ZeroLogon by confirming the DC is unpatched and that the Netlogon port is reachable from the test position. The exploit itself is policy-blocked by default because executing it on a production DC would disrupt authentication for the entire domain. The report flags the DC as validated exploitable with clear remediation.
What is PetitPotam and how does ADscan handle it?
PetitPotam (CVE-2021-36942) is a coercion technique that uses the MS-EFSRPC protocol to force a Domain Controller to authenticate to an attacker-controlled host. Combined with NTLM relay to ADCS (ESC8) or LDAP, it provides a path to Domain Admin without any credential. ADscan probes for the MS-EFSRPC and related coercion surfaces and flags each instance where coercion conditions are met, along with the downstream relay chains the coercion enables. The coercion is not auto-triggered; instead the finding is flagged with full technical detail.
How does ADscan validate exploitability rather than just detecting vulnerability presence?
Exploitability validation means testing the full precondition chain, not just the patch level. For ZeroLogon: unpatched AND reachable on the network from the test position. For NTLM relay: SMB signing absent AND LDAP signing/channel binding not enforced AND relay target has a privilege escalation path. For coercion: MS-EFSRPC or equivalent interface reachable AND NTLM relay infrastructure in place. Each condition is checked in your actual environment, so the exploitability verdict reflects your real configuration, not a generic CVE score.
What is the difference between vulnerability scanning and exploitation validation?
A vulnerability scanner checks patch level and reports CVEs that are present on unpatched software. Exploitation validation tests whether the vulnerability is actually reachable and exploitable in your environment given your network segmentation, GPO hardening, service configuration and existing controls. Scanners routinely report critical CVEs as present in environments where they cannot actually be exploited. ADscan validates exploitability in context so you remediate what is actually dangerous.
Which AD CVEs and vulnerability families does ADscan test?
ADscan tests and validates ZeroLogon (CVE-2020-1472), PetitPotam and MS-EFSRPC coercion (CVE-2021-36942 and related), NoPac (CVE-2021-42278 and CVE-2021-42287), SMB relay conditions (MS14-068 context), PrintSpooler and WebDAV coercion surfaces, weak Kerberos encryption, LLMNR/NBT-NS poisoning conditions, SMB signing absence, AS-REP roasting exposure, and stale domain functional levels. The full tested catalogue is published in the ADscan documentation.
Why does ADscan not auto-exploit ZeroLogon and PetitPotam?
ZeroLogon execution on a production DC changes the machine account password and breaks domain authentication for all machines that rely on that DC — the disruption is immediate and severe. PetitPotam triggers live NTLM authentication on the DC, which in relay scenarios can cause authentication errors and audit log noise. ADscan validates the preconditions and confirms exploitability without executing the disruptive step, because the goal is proof of risk, not production disruption. This policy is explicit in the report so there is no ambiguity about what was tested.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.